Friday Squid Blogging: Giant Squids Have Small Brains

New research:

In this study, the optic lobe of a giant squid (Architeuthis dux, male, mantle length 89 cm), which was caught by local fishermen off the northeastern coast of Taiwan, was scanned using high-resolution magnetic resonance imaging in order to examine its internal structure. It was evident that the volume ratio of the optic lobe to the eye in the giant squid is much smaller than that in the oval squid (Sepioteuthis lessoniana) and the cuttlefish (Sepia pharaonis). Furthermore, the cell density in the cortex of the optic lobe is significantly higher in the giant squid than in oval squids and cuttlefish, with the relative thickness of the cortex being much larger in Architeuthis optic lobe than in cuttlefish. This indicates that the relative size of the medulla of the optic lobe in the giant squid is disproportionally smaller compared with these two cephalopod species.

From the New York Times:

A recent, lucky opportunity to study part of a giant squid brain up close in Taiwan suggests that, compared with cephalopods that live in shallow waters, giant squids have a small optic lobe relative to their eye size.

Furthermore, the region in their optic lobes that integrates visual information with motor tasks is reduced, implying that giant squids don’t rely on visually guided behavior like camouflage and body patterning to communicate with one another, as other cephalopods do.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on July 28, 2017 at 4:00 PM191 Comments


Ben A. July 28, 2017 4:07 PM

WikiLeaks drops another cache of ‘Vault7’ stolen tools

Emissary Panda amongst others.

Trust Issues: Exploiting TrustZone TEEs

@Thoth, @Clive Robinson

The End of Triple DES

“The US National Institute of Standards and Technology (NIST) has just announced withdrawal of approval for triple DES (also known as 3DES, TDEA and sometimes DES EDE) in common protocols such as TLS and IPSec.”

Cyber arm of UK spy agency left without PGP for four months

“UK spy agency GCHQ’s cyber security arm, CESG, was left without PGP encryption for more than four months, according to a government report.”

On Kaspersky

The author dislikes the fact that the “U.S. government used Kaspersky Lab’s products—including on DOD systems.”

KL AV for Free. Secure the Whole World Will Be.

Kaspersky Free is due to be released. Coincidence? You can’t blame the company for wanting market penteration.

Exclusive: Congress asks U.S. agencies for Kaspersky Lab cyber documents

“A U.S. congressional panel this week asked 22 government agencies to share documents on Moscow-based cyber firm Kaspersky Lab, saying its products could be used to carry out “nefarious activities against the United States,” according to letters seen by Reuters.”

Going dark: encryption and law enforcement

Reminder: Spies, cops don’t need to crack WhatsApp. They’ll just hack your smartphone

WhatsApp: The Bad Guys’ Secret Weapon

De-Anonymization, Smart Homes, and Erlang: Tor is Coming to SHA2017

Sounds bad: Researchers demonstrate “sonic gun” threat against smart devices

“A sonic “gun” could in theory be used to knock drones out of the sky, cause robots to fail, disorient virtual or augmented reality software, and even knock people off their “hoverboard” scooters. It could also potentially be used to attack self-driving cars or confuse air bag sensors in automobiles.”

macOS Fruitfly Backdoor Analysis Renders New Spying Capabilities

“A mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other sensitive resources has been infecting Macs for at least five years.”

Novel attack tricks servers to cache expose personal data

“The so-called web caching attack targets sites that use content delivery network (CDN) services such as Akamai and Cloudflare.”

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science
FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign

EVERY app offered by alternative Android app market redirected to malware

Wallet-snatch hack: ApplePay ‘vulnerable to attack’, claim researchers

Hackers can turn web-connected car washes into horrible death traps

The opsec blunders that landed a Russian politician’s fraudster son in the clink for 27 years

Upcoming USB 3.2 Specification Will Double Data Rates Using Existing Cables

Boing Boing Tigger! July 28, 2017 4:35 PM

“Hackers can turn web-connected car washes into horrible death traps”

What infosec is missing is it own version of the National Enquirer. We do have Taylor Swift tweeting but she occasionally says sensible things so she doesn’t fully count. We need more headlines like:

Batboy uses APT to hack Batman’s car, run over Robin.

Twin Headed Mark Zukerburg Seen Using Both Tongues to De-Worm Tim Cook’s Apple.

Crows Demonstrate Advanced Tool Use Phising Vultures with Spoofed G-Mail.

John McCafee Claims Kaspersky Using zCash to fund Martian Invasion

North Korea Launches Web Attack with 10,000 Armored Spiders

United Nations Appoints Angela Jolie as Encryption Ambassador to Bangladeshi Street Kids

Politicization of Intelligence and Now Justice July 28, 2017 5:31 PM

In last years election hundreds of opposition party members were unmasked (using NSA data) by senior political appointees.
To recover from the ‘damage’ (and to seek revenge) the the Department of Justice is currently being politicized.

When misused, these agencies vast data-mining capabilities become extraordinarily powerful weapons.

This abuse of law brings shame upon the Land of the Free and the Home of the Brave. We are declining into hell. Just listen to the cursing language alone. We’ve stumbled upon the rage making the Devil red…and the wifes’ divorce…

Good security requires humans to seek The pure attributes – certainly NOT those of Cane and Abel.

JG4 July 28, 2017 9:01 PM

@Clive and anyone else interested in energy security

It’s pretty easy to connect energy storage to computer security, because you won’t be doing much computing without electricity. We touched on the fact that not all electroactive materials are equally scarce or expensive. Conductivity is an important figure of merit, but material cost and redox potentials are critical too. It’s not a terrible idea to build a salt/sodium/chlorine battery, except for the safety and corrosion issues. You hinted at Sadoway’s molten magnesium/antimony battery, which certainly owns a unique point in the tradespace. Goodenough, age 94, recently showed that conductive glass can revolutionize lithium batteries. His invention probably applies to sodium ion batteries as well. There is more than enough iron, aluminum, silicon, sodium, carbon, chlorine and various other very inexpensive elements to make a real difference. It will take more than one technology to provide a good fit for each application.

I thought that I said this some time ago:

The carbon in Wyoming, Utah, Montana, Colorado, and West Virginia should never be burned. Australia, Mongolia and China should be included in this list. The coal should be used as electrode materials in grid-scale supercapacitors and sodium-ion batteries, as well as in manufacture of wind turbine blades and other energy infrastructure via a pitch process. Coal is far too valuable to burn.

I definitely pointed out that hydrogen can be used for grid-scale storage by repurposing existing thermal power plants to burn hydrogen. That applies to coal-fired, natgas and even nuclear plants. The thermal losses are more than made up by the capital savings. To say nothing of the savings in middle East adventures and genocides. The US could have put the entire electric grid on solar hydrogen for what was spent in Iraq and Afghanistan.

I’ve probably said before that the two greatest inefficiencies on the old blue marble are the failure of trust to scale and the difficulty of transducing sunlight into useful energy. The latter has changed to the point that the greatest inefficiency is no longer transduction, but storage of renewable energy. Even that problem is going to yield soon. The failure of scalability of trust is substantially what politicians and their propagandists exploit. It’s a much harder problem, but the police are being brought to heel one video at a time. They will be replaced with nonviolent robots, which have no fear of being harmed. Maybe there is cause for hope. It is going to be a very close shave to find out whether the human species can navigate Grinspoon’s gauntlet. That is the narrow space where political skills are tested against the capacity for destruction to find out which side of Woody Allen’s crossroads we take. We’ve been moments from failing the test several times. I would point to a failure of imagination in designing robust systems.

“More than any time in history, mankind stands at a crossroad; on the one hand lies despair and utter hopelessness, on the other extinction. Let us pray that we have the wisdom to choose correctly.” -Woody Allen

Clive Robinson July 29, 2017 12:11 AM

Major company cuts “ineffective” digital marketing

This time it’s Proctor&Gamble finding out they are putting serious money into digital hype.

@ Bruce, if you ever bring back the Snake Oil / Dog House, maybe you should sling the “digital marketing” bods in there to be tared and feathered befor being drummed out of town 😉

Oddly, I take this as a positive sign that a degree of common sense is comming back into corporate culture. Which means there is a posability a rational eye will get cast over other aspects of digital marketing such as “Personal Profiles”. If it does, and new EU privacy legislation might incentivize such a view, then maybe PII will lose it’s faux gleam of gold. What this might do to the likes of Google, Facebook and Twitter is not yet known but the gloss is coming of both Facebook and Twitter as their lack of expansion is being seen by investors, sufficient that comment is made publicaly.

Clive Robinson July 29, 2017 12:19 AM

Reallife catches up with James Bond gadgets

In the film OHMSS James Bond breaks into a Swiz Solicitors office at lunchtime and a largish gadget is brought by crane to the window.

Bond is then seen putting a dial sensor head onto the safe combination lock, which then fairly quickly finds the combination and the safe is opened.

Well at DefCon such a gadget was demonstrated on a similar commercial safe,

Clive Robinson July 29, 2017 12:40 AM

Why drugs wars fail

It is now many yeats since an economist made an observation about dealing with the Wester Drug Problem.

Many places opted the “war path” whilst a few braver ones chose a different path.

Well fourteen years after Portugal effectively De-criminalized drugs it has had a very significant drop in the rate of drug deaths and is now one of the lowest per head of population in Europe.

The key point is that they moved who dealt with drugs from the justice system to the health system.

I guess this success story is not what the “War on drugs” devotes want to hear. But hopefully it will encorage other nations to try the same and thus we get better insight to the issue.

Thoth July 29, 2017 1:33 AM

@Clive Robinson

Most of these codes these days are not very high quality due to emphasis on speed to push out new technology. Security modelling is heavily lacking.

tyr July 29, 2017 2:47 AM


The war on drugs was never about the
drugs it was a way to create an excuse
to attack people whose ideology was
suspect. The poor, the pigmented, the
anti-war activist, the politically
active young folk.

The idea that the government gets to decide
what your pursuit of happiness should be
allowed to do is obscene and irrelevant.

The horrible example of the Volstead Act
banning alcohol should have pointed out
the stupidity of trying to legislate

We have the universal holding act now in
USA, they have made neurotransmitters in
everyones brain schedule 1 prohibited
substances. : ^ )

Thoth July 29, 2017 7:08 AM


Singapore has dipped another level into an even more authoritarian state.

A new directive from the SG MINDEF requires all SG military personnel be it in uniform or plain clothes services to support their country by being the eyes and ears via downloading the SGSecure app onto your phones per new directive. The SGSecure app is essentially a snitching app where you use your smartphone to SWAT and snitch on whomever you want. It allows upload of media and text to a command center which personnels would receive snitching reports in realtime for ‘quick reaction’.

This would essentially turn every single SGPorean into an involuntary snitch as long as they are serving the MINDEF.

The locla govt/elites are so insecure to a point they have to resort to East Germany style mandated reporting on neighbours.



Password July 29, 2017 7:45 AM

This is some of the top passwords for 2016 according to Lists from other places and times are about the same:

123456 123456789 qwerty 12345678 111111 1234567890 1234567 password 123123 987654321 qwertyuiop mynoob 123321 666666 18atcskd2w 7777777 1q2w3e4r 654321 555555 3rjs1la7qe google 1q2w3e4r5t 123qwe zxcvbnm 1q2w3e

See any problems?

The one that bugs me most is:

NO CAPS! Could it possibly be using one capital letter could take your password out of the top 10,000….or million? Or is it assumed lower/upper case doesn’t matter to password crackers? Anyone?

Why no symbols ?/%!@%~…?

Why one lower case word time after time, not two or three?

Why is a dumb word like “dragon” the number seven most used password? That makes no sense. How could potentially millions of people be using THAT pw?

What about other languages? Americans could never think of “bueno” for a password?

I am thinking there is something wrong with the list, or something very wrong with the IQ of Americans based on this list.

OK, I certainly agree there is room for easy, throw away passwords, for example, a site that only requires a pw to read their articles. Who cares if it’s snatched?

Your bank account is a whole differnet matter, though.

Also, a lockout limit of ten tries or less would certainly reduce cracks.

Last, my suspicion is the government and corporations are already recording all of our passwords regardless of how good they might be because:


Scroll through list at, say, What do you think?

Thoth July 29, 2017 7:50 AM


You can search through all our topics we have discussed on passwords and PIN. Password is a bad authenticator when used alone. Bad entropy and mostly repetitive and predictable. Passwords may even be recorded as you said and then quietly used to attack the users’ account.

Boils down to convenience-vs-security as usual.

Nothing can be done as long as the consumers are still fine with oasswords, websites are fine to just accept passwords and browsers being crappy.

Thoth July 29, 2017 8:07 AM

@Clive Robinson

TOR admits it is not up to the job for anonymizing communications on the Internet by admitting that ‘Dark Web does not exist’ after so long.

We have been raving and ranting and the fanbois have refuted vigorously. Now it’s kinda an official waving of white flag.

Well, we should pretty much let thwm figure it out and capitalize it.


Clive Robinson July 29, 2017 8:08 AM

@ Thoth,

A new directive from the SG MINDEF requires all SG military personnel … via downloading the SGSecure app

Two things to say about it,

Firstly just how stupid is the SG, they have just made all their armed forces “targets”. If I was a SigInt agency in another nation I would get a copy of thr app and rip it appart to find weaknesses that could be used to identify SG MF personnel and their locations and habits (as has been done to other nations MF).

Secondly if I was a SG MF person my phone would rather quickly not be a Smart Phone… One of those Nokia 610 look alike “granny phones” with the big keys would be nice 😉

JG4 July 29, 2017 8:19 AM

This week, I saw something very firm that Merkel said about the Russia sanctions, but they’ve got whatever leverage is provided by the transcripts of every phone call she ever made.

New Cold War

Trump says he will sign bill imposing new sanctions on Russia Financial Times

Collateral Damage: U.S. Sanctions Aimed at Russia Strike Western European Allies Counterpunch (Glenn F)

Brussels braces for confrontation with Washington over sanctions on Russia New Europe (micael)

The Al Aqsa Protests Prove That Palestinian Nonviolence Has Arrived Forward (Sid S)

Big Brother is Watching You Watch

Roombas have been mapping your homes for years, and that data’s about to be sold to the highest bidder BGR (resilc). I had thought about getting a Roomba, half as a cat toy….scratch that.

The Soviet InterNyet aeon (micael). Key quote:

    …the story of the Soviet internet is a reminder that we internet users enjoy no guarantees that the private interests propping up the internet will behave any better than those greater forces whose unwillingness to cooperate not only spelled the end of Soviet electronic socialism but threatens to end the current chapter in our network age.

Imperial Collapse Watch

American Failure American Conservative (resilc)

Password July 29, 2017 8:27 AM


Thanks for the reply and resource. Pretty heavy stuff.

My question:

So the best possible, secure and convenient replacement for passwords is?

I hope you aren’t going to say biometrics.

And, thinking that through, cannot biometric authenticators be hacked,(sometimes literally) too? I am thinking if ‘they’ are already recording passwords, they most certainly can and will record fingerprints and faces. Meanwhile, if ‘they’ get your face, it’s really hard to create a new one.

keiner July 29, 2017 9:49 AM


sz (ß) is (in)famous in German language, but STASI is simply a short-form of “STAatsSIcherheit”, so no need for any “Z”… 😉

Thoth July 29, 2017 11:50 AM


The best replacement for passwords and PINs is not one authenticator but a variety used together. Biometrics cannot be used alone as it is rather easy to defeat biometrics that are used alone.

Weigh the situation to see how different authenticators can be used to meet the level of authentication required.

Smart Bulb July 29, 2017 11:52 AM

This researchers are just too smart and people don’t have their resources, so we should be ok right?

“Once the infosec duo had found a suitable car wash connected to the web, the researchers found that the default password – 12345 – just worked. “

Thoth July 29, 2017 12:01 PM

@Clive Robinson

I didn’t want to say it out loud regarding using the app as a SigInt tracker as this would be very helpful to these ignorant people who cannot make proper decisions but can only leech on their serfizens and abuse their status, resources and power.

The good thing for the 5Eyes ICs is that all known ARM A series chips, Intel and AMD chips are backdoored in the hardware level and the leadership here gladly touts iPhones and Androids while in office and a boon for collection of SigInt from the upper echelons here.

Iask July 29, 2017 12:02 PM

Does an extra chunk of plastic glued onto the existing, longtime card reader of an ATM ever have a legitimate purpose? Bank tellers are saying they think it is an upgrade to the ATM machine.

CallMeLateForSupper July 29, 2017 12:49 PM

@keiner @all
“sz (ß) is (in)famous in German language…”

Ah yes… the lovely “hard ‘s'”. It is almost guaranteed to trip up the Auslander. I stifled a laugh when a colleague told me that his hotel was on “Roo-bin-steen-strab” (Reußensteinstraße).

Clive Robinson July 29, 2017 1:45 PM

@ password,

So the best possible, secure and convenient replacement for passwords is?

The answer is dependent on not just your requirments, but the design and functionality of what you are protecting.

Take a phone, the requirment is low security but fast response for incoming calls. But high security with no response time limitation for the dats storage on the phone.

As far as unlocking the receive call function the security is low because the level of harm that can be done by somebody forcing it is low. Thus a biometric finger swipe is about as fast as you can get. So “Something you are”.

As far as unlocking the data storage function the security is about as high as it gets for the phone. As the unlock response time is effectively irrelevant entering an unlock string of a hundred or so characters is only an issue for the human mind. So “something you know”.

Often people talk of “rubber hose” / “Thermo Rectal” / “$5 wrench” crypto analysis, which boils down to using torture / duress to get you to reveal the something you know. The reality for duress these days is not torture but contempt of court, which boils down to jail time often in solitary untill you reveal the password. As far as I’m aware the longest that someone has been held on contempt was in a divorce case and it was 14years[1].

However contempt of court is subject in most places to a “reasonableness test” thus it can only be levied if you are “wilfully witholding” information. Which makes things a little more interesting.

As I have mentioned before, “something you know” does not have to be a password, it could also be a time or a place. Therefore if the phone has a time based lock out or other trip the password would not function unless entered at the correct time in the correct place. There is nothing to say that the place need be in the juresdiction you are in.

Likwise the something you know might be the names and phone numbers of people outside of the jurisdiction that hold “Password / key shares”. If they decide not to cough up the right key share there is nothing you can reasonably do about it. Further if there are three or more key share holders there is no way to show if one of them is supplying a false key share.

Thus you can take this information and build a system around it to show that you do not know the information of how to get into the phone data store, just who to ask, who also happen to be beyond the courts reach.


Clive Robinson July 29, 2017 2:16 PM

@ Iask,

Does an extra chunk of plastic glued onto the existing, longtime card reader of an ATM ever have a legitimate purpose?

Very rarely. Some ATMs have had modifications to make the insertion of shims harder, others clear blocks to prevent earlier types of skimer. Have a look at Brian Krebs site, he has a page dedicated to ATM skimers and pictures showing not just skimmers but ATM modifications.

Clive Robinson July 29, 2017 2:46 PM

@ Thoth,

… the leadership here gladly touts iPhones and Androids while in office…

Hmm where have I heard that refrin befor, was it the US before Obama made it clear the NSA had copies of phone conversations between US senators and right wing Israeli politicos. Or was it in Germany befor Mummy got outed. Oh then there was that US diplomat woman who slagged people off over her phone and it got published in newspapers. Then there was…

Yup you’ld think people would have wised up by now, especially if they are at the top of a very shaky pile with a very long way for them and their family to fall.

Password July 29, 2017 3:18 PM

@Thoth, @Clive

I like your ideas a lot:

-minimum 2 factor
-layered approach
-risk calibrated
-consider time lock (really good idea)
-multi key share holders for critical functions
-time/location qualifiers

Seems to me, there is no need for authentication to rec. call on a properly unlocked phone.

The UK law regarding revelation of pw/s is disappointing to say the least. The USA police lobby is no doubt patiently waiting for the right situation to reveal itself to demand a change in the law to jail people for not rele asing pws. It will happen soon enough. Because: Security. (I call it the BS justification for repealing constitutional rights.)

Maybe consider something other than symbols, like a knuckle print, or a literal/physical key, an image, finger painting….

How about a key that dissolves in water? Then the device can only be opened as a factory reset.

I think the issue hasn’t been brainstormed enough.

Meanwhile, isn’t the password still the best possible safe and convenient method of authentication right now? Maybe we should work on better passwords.

I remain opposed to standard police based biometrics, especially facial ID which is the golden fleece of World Wide ID. Meanwhile, fingerprints not only can hacked legally and illegally with ease for the determined adversary.

Middlesex Housewife July 29, 2017 6:14 PM

Crowd sourcing.

Does anyone know of bulletin board software (such as Vbulliten) that implements hardware two-factor authentication (such as Yubikey) for administrators and moderators? Ideally of course open source.

++Ungood Torcrime July 29, 2017 7:22 PM

@thoth, Why are you distorting what Dingledine says? He said most Tor users don’t use hidden services. You are entitled to your Resistance-Is-Futile opinion but you should not stick your hand up someone else’s butt and shake him around and make him say it like he’s your puppet.

The words you put in Dingledine’s mouth dovetail remarkably with Sessions’ slogan, ‘the darknet [sic] is not a place to hide.” Neither version is convincing in the absence of evidence. And FBI getting lucky catching nitwits is not evidence. As you know, Silk Road was so infiltrated that featherbedded Feds took advantage of the commotion to steal bitcoins for their personal retirement nest eggs. And Cazes put his Alphabay contact email everywhere but on the Goodyear blimp. Neither instance is dispositive of Tor vulns. It’s much more consistent with FBI finding, or eliciting, easy-bust crime by helpless morons, in a cookie-cutter adaptation of their so-called counterterror provocations.

Transparent Giver July 29, 2017 7:58 PM

The Shadow Brokers are most likely Israel. They stole the emails too. Israel is capable and they want to dominate US politics. Trump acts like he works for Netanyahu

Ergo_Sum July 29, 2017 8:04 PM


Seems to me, there is no need for authentication to rec. call on a properly unlocked phone.

Seem to me, there is no need for unlocking to receive a call on the properly locked smartphone either. For that matter, receiving text shows up on the properly locked smartphone, among other things.

It’s really good, especially if and when the same smartphone is also used for “two-factor” authentication via PIN number.

Zombies vs Robots July 29, 2017 8:11 PM

Most states have finally banned texting while driving as two thirds of serious auto accident involve distracted driving.
Now Honolulu becomes the first major U.S. city to pass legislation aimed at reducing injuries and deaths from “distracted walking.”

They hand-fed zombies cannot handle complexities of human relationships after being trained to just close the tab. They are overweight with low sperm count. Forget marriages and families to repopulate the Earth.

From these observations I for one am tired and disappointed in the zombie generations. Who would prefer the intelligence of a cyborg or robot instead?

Maybe the ulterior plan is to reduce the numbers of humans and make Earth sustainable. If this is the plan, its already working. Simply give smartphones free at puberty (13) and supplement with pleasure dolls (to supplement the porn).

Benefit of Robots
With robots replacing people (no more wars) will there be less of a need for lies (politicans), advertising (data-mining) and eavesdropping (spies)?
Will a robot neighbor better maintain their house like cutting the grass?
Will robot mates change their mood without getting angry or offended?
Will robots decrease road rage and accidents?
Will robot need health insurance or food?
Will robot offer reliable, deeper and life-time friendships?
Will a robot do the household chores without complaint?
Will a robot be your personal physician and nurse?
Will a robot be better equipped for 24/7 home security?

We Can Change The World (not!)
Who can stop Silicon Valley/Wall St from creating addicted zombies?
Without drastic change, the number of people will markedly decrease in each successive generation. Just as robot capabilities will drastically increase (already today social media consists mostly of revenue bots)
What will it take to reverse this terminal end-game? How about basement income with free Internet access?

Ergo Sum July 29, 2017 8:18 PM

Regarding passwords…

This is what I’ve wrote about passwords in my blog couple of years ego..

Password had been with us for a very long time and has shown incredible persistence. Despite countless attempts and near-universal agreement to replace them, passwords are more widely used than ever. Poor security is obviously the main concern of security experts. However, since even strong authentication technologies are vulnerable to certain attacks, more details on exactly what is required of a replacement is essential.

The U.S. government’s 2011 NSTIC initiative, “National Strategy for Trusted Identities in Cyberspace”, summarizes things concisely: “passwords are inconvenient and insecure”. The summary suggests that the implicit goal is “more security, more usability (at reasonable cost)”. There is little to disagree with here; however, it does not point into the direction that would be a suitable replacement. The resources protected by passwords are diverse, from local and corporate accounts, financial accounts with substantial assets, throwaway email accounts, web forum accounts and so on. Clearly, not all type of accounts have the same security needs. Nor do all people have the same security needs; politicians and celebrities in general may require better protection than others need for banking. What should be the starting point for evaluating technologies for the password replacement?

Evaluating the current vulnerabilities for password authentication system is a good starting point. After all, one of the implicit goal for the new authentication method is more security. While usability and cost are important, they usually take a backseat when increased security is required. The end-users and upper management certainly will disagree, but let us just go with the initial assumption and aim for secure authentication.

Password requirements have changed substantially during the years. Long gone are the short alpha and/or numeric only password, at least should be at resources where security is important. Most, if not all systems allow settings password policies that includes complexity, account lockout after x number of attempts and defines expiration as well. Guessing complex and relatively frequently expired passwords is not that productive. It is more of a “my lucky day” type of guess, if successful.

So, what is wrong with the password? It is vulnerable to key-loggers, social engineering, and password cracking.

Arguably, the client devices are the most susceptible for having the account credentials stolen. The source of this issue is the malware-infected devices that had been with us for a long time and will continue in the near future. The bad news? The compromised host or a mobile device enable cyber-criminals to bypass virtually every two-factor authentication system.

Social engineering is manipulating people so they give up the sought after information. The types of information the “social engineer” is seeking can vary, but usually centers on account credentials, financial information, etc. Once the account integrity compromised, the “social engineer”, or designee bypasses virtually any authentication system.

Password cracking requires the password hash that is stored on the device locally, or on the authentication server. Without password hash, none of the password cracking solution would be able to decipher the password. Cyber-criminals utilize various means to obtain access to the password hash, such as exploiting system vulnerabilities, client devices and social engineering. With the compromised authentication server at their disposal, cyber-criminals are capable of bypassing virtually any authentication system.

Are these password vulnerabilities, or the culpability belongs to somewhere else?

The logical answer is that both the client devices and servers are responsible for the password vulnerability. Securing these devices should be the first step in preserving the integrity of the account credentials. Otherwise, the biometric or other types of authentication methods may not provide the desired level of account security. For cyber-criminals, it does not make a difference, if the stolen account credential is password or fingerprint for example. Well, there is a difference. It is easier to replace the password than the fingerprint. Not to mention that while passwords are unlimited, fingerprints for the end-user in question limited to ten.

Based on history, securing the client devices and authentication servers is not likely to take place anytime soon. In which case, replacing password with other authentication methods may provide a seemingly marginal security improvement. The security improvement might turn out to be temporary in nature. At least until the cyber-criminals develop malware that exploits different authentication methods with ease on a wide scale. Keep mind that there is malware available now that capable to exploit two-factor authentication method. Thread lightly….

Pasword July 29, 2017 8:43 PM


Thanks for the informative and helpful replies. If I interpret your comments correctly, I think you are saying, ‘sure passwords suck, but there’s no viable alternative at the moment’.

If so, I agree.

I also appreciate your skepticism regarding alternatives like biometrics. If passwords can be cracked, why not biometrics?

Must admit I am NOT sure where you are going with, “securing the client devices and authentication servers is not likely to take place anytime soon”. What’s that about? How does one secure a device, other than by password and pin?

I am going to jump in here with a thought that seems to have zero traction. My thought is governments and corporations everywhere are secretly and literally stockpiling usernames and passwords in the name of security and profits.

IF I am right whether one uses the username of ‘admin’ and password of ‘password’ is no different than using some sort of two/three/four factor stenographic/holographic triple whammy encrypted authentication.

Authentication is an unfinished piece of work, that needs to be finished.

Rachel July 30, 2017 1:19 AM

At Password

Clive, Nick P, Thoth, Wael and some others have discussed your questions and these dilemnas in great detail over years – definitely do a search for those discussions

Rachel July 30, 2017 1:29 AM

Now Honolulu becomes the first major U.S. city to pass legislation aimed at reducing injuries and deaths from “distracted walking.”

thanks for this. What took so long?! I have long wished that ‘operating a phone whilst in locomotion’ was subject to a penalty. The above doesn’t go far enough (just crossing the street) and isn’t much money relative to the activity – but it is a start. The number of times I’ve been walking a busy city street to have phone texters literally walk into me – not to mention the multiple hazards without even leaving the pavement. When I’m walking I’m looking at everything 180 degrees

One the other hand, some may prefer old mate Darwin to get a say, whereby the penalty for crossing the road looking at phone is – wait for it – being required to cross the road repeatedly, whilst playing with said phone?

Rachel July 30, 2017 1:37 AM

Dingledine said that he knew about two thirds of the people running Tor relays and could vouch for them. Intelligence agencies didn’t need to set up their own stepping-stone nodes he said, since they could – if they wanted to – just monitor those who did run them.

I know a great game. It’s called take a stick who can poke the most holes?

Thoth July 30, 2017 1:45 AM


re: TOR/Dingledine news

I did post that news above and the results was as expected … fanboism occurred.

Rachel July 30, 2017 2:32 AM


thankyou, yes it was because of your link I singled out that ridiculous paragraph. But hey, if the boss says ‘everythings fine’ – then great!

Thoth July 30, 2017 2:33 AM

@Clive Robinson, Nick P, ab praeceptis, Rachel, et. al.

We assume that TOR is suppose to be a Castle (Castle Model) to protect against metadata harvesting, interception of communications and manipulation and disruption of traffic.

“Dingledine even went as far as saying the dark web – a landscape of websites concealed within networks like Tor – is so insignificant, it can be discounted.”

It sounds like the Castle is strong against attackers but …. we have a feel people we want to discount from it’s defenses.

“There is basically no dark web. It doesn’t exist,”

If there is no Dark Web, then what is TOR, I2P et. al. suppose to be ? Secret Web ? Priv Web ? Give it any name, it still does the same function. Nice try justifying to legitimize TOR in front of journos and politicos but not trying to point out that all the misconceptions have their roots traced back to 5Eyes IC, LEA, Def Contractors’ offensive mission plans to discredit anyone trying to evade tracking and the campaign the Powers That Be trying to smear privacy and personal security is actually working pretty damn well.

“The most popular website visited by Tor users was Facebook, Dingledine said.”

How does he know these statistics unless he’s either making something up or he’s been monitoring the traffic and have some access methods to get his statistics ?

“Edward Snowden showed that yes, a number of nodes had been run by government snoops, Dingledine said, but not very many – not enough to compromise the integrity of the mesh.”

How can he prove that integrity of TOR is not yet compromised ? Similarly to be fair what can be used to proof that TOR is compromised … until we start to pull up reports on Universities in bed with ICs and LEAs to do their dirty work using students as low wage/free technicians or maybe let’s pretend the mega breaches on TOR didn’t occur OK ?

“Dingledine said that he knew about two thirds of the people running Tor relays and could vouch for them.”

Again, he says he knows the people but he is not us and we do not know these people who run relays. He can trust his friends running the relay but why do we need to listen to him and believe his friends ?

” A chap called Julian Jackson found that it was possible, on some Linux systems, for a malicious URL to make Firefox bypass the Tor network and reveal the user’s public IP address.”

TOR proxy bypass bug is a very severe bug and talk about TOR being secure. You do not need to break a protocol but just break the underlying computing layers and the protocol would simply be useless. This is how Apple’s iPhone case was solved by simply finding vulnerabilities in the implementations and not needing to write backdoors or frontdoors.

“Firefox is still the preferred browser for Tor, Dingledine said, and Chrome is still causing concern due to its proxy bypasses.” Look at the huge amount of CVEs for Firefox, Chrome et. al. and one would wonder how secure and trusted the computing layers TOR is built on. Shaky grounds at best.

“The project’s software is also being updated to allow for simpler and more secure hosting of sites.” Hosting and deploying TOR above Windows, Linux, Mac ? Nice try doing them on shaky grounds. At least use them on OpenBSD but hey, TAILS would be very secure right ? All that TOR + Firefox + Debian Linux + Gnome 3 magic ? How about a TAILS OpenBSD edition to make it even more secure at the very least ?

“The biggest need is Windows developers, we were told. Most Tor staff are Linux users, but the project is used by heaps of folks on Windows.”

Just use a LiveCD containing a TAILS/OpenBSD edition to boot up and that will be fine. If the user is too lazy to do a Live CD boot, they might as well forget about security because they are not keen on trying to do something pretty simple like a Live CD boot which is inserting a CD or even a USB boot image into the PC.

“A benefit of the Snowden leaks is that Tor is seen as the best option for anonymous web use.”

Because there is not many choices anyway and the 5Eyes are very very keen on silencing anyone trying to do just that 🙂 . Try harder to evade their detection and you will probably be flagged.

If TOR really wants to provide higher security, the above suggestions need to be used to make TOR more secure but alas, just like any organisation they stagnate.

TOR will be honored by having a place on my Hoilydays.

Rachel July 30, 2017 2:36 AM


the grugq said only 3 % of the nodes need to be owned to own the network. 3%!
for some reason he is or at least was an advocates, albeing only 5% of his advice

Clive Robinson July 30, 2017 3:14 AM

@ password,

Must admit I am NOT sure where you are going with, “securing the client devices and authentication servers is not likely to take place anytime soon”. What’s that about?

It has to do with two basic issues “communications security” and “end point security”.

If you think back to the time before the mid 1980’s the big problem in the communications security area was that with the early network or serial terminal communications the password went in plain text along the wire, where it could be easily grabbed via a “vampire tap” or inductive or capacitive probe. In secure facilities of the time the wires were put in pressurized conduits with preasure sensitive alarms along it’s length and the conduits mounted in a way that visually checking them along their entire length was easily possible, and a technician would “Walk the Line” frequently. There were other systems used later such as Time Domain Refectomatory (TDR) and end to end encryptors.

To bring the communications security more upto date it’s been known that for some time SSL had very real vulnerabilities and now and for the foreseeable future it would be safe to assume in all probablity vulnerabulities still exist.

So for the likes of the SigInt agencies like the NSA, GCHQ et al, who all prefere to work one or two steps upstream of a target for their own security. The SigInt agences preference would be to get at the plaintext password in transit by exploiting crypto system faults, rather than put “end run” spyware on a targets communications end point where it can be found or easily removed. However for LEO’s currently the opposit applies due to legislation and warrant requirments, but that will no doubt change.

Thus you have to consider how to make the password only of use to the user not an evesdropper.

The original idea for this was a One Time Password. The –incorrect– theory was that if it was intercepted it was of no use to the attacker and if an attacker blocked / interfered with the communications to the destination machine the user would notice. It was incorrect because a sufficiently clever attacker could make their Man In The Middle attack look convincing to the majority of users, as attacks on banking/financial systems have repeatedly shown .

The failure as I’ve noted here more than a few times was due to having an incorrect thought process of “authenticating the channel at setup” not “authenticating each transaction”.

Worse still some people decided that determanisticaly generated One Time Passwords that changed with time would be fine… We saw that idea crash and burn with the RSA secure ID tokens, when attackers simply stole the seed values from the RSA tech support system where they were stored.

Securing the communications between a client end point and server end point is a very hard problem, but we do know of solutions.

But even if you secure the logical communications channel and authenticate the transactions within it you still have the end point problem.

If your security end point is not beyond the communications end point devices then there is a vulnerability to “end run” attacks, of which there are a great many.

The most well publicized end run attack is “Shoulder Surfing” that is you somehow get to see the users fingers move and thus work out the password they are typing in. Only slightly less well known is “key loggers” where a physical device is put between the keyboard and the computer. Then there are IO shims in the device driver level etc etc… which boils down to the reality currently, that anywhere onwards from the nerves to your forearm muscles through to the communications crypto of the security end point is vulnerable. That is the resolution of some EM scanning/radar systems is sufficient to see the physical movments of your arms, hands, fingers with enough detail that static passwords can be deduced. Energy radiated from or to the keyboard and electronics likewise.

The only answer we have to this is to extend the security end point around the user by “energy gapping” them from the world outside the security end point. Which in essence is what a Sensitive Compartmented Information Facility (SCIF, pronounced as “skiff”) can do. But only if it is properly setup and security managed 100% of the time, which is difficult to do.

Clive Robinson July 30, 2017 3:46 AM

@ Rachel,

Now Honolulu becomes the first major U.S. city to pass legislation aimed at reducing injuries and deaths from “distracted walking.”

I must admit I’m all for it but it will not go far enough.

As I’ve mentioned before I use elbow crutches. The consequence of this is unless I behave recklessly I move slower than those walking behind me. Thus just like a post or rock in a flowing stream I have an eddy in front of me. People comming towards me discover that when they get to me I’m not going to get out of the way because it’s dangerous for me to do so. So they push back into the oncomming stream and create considerable turbulance when they do.

HOWEVER you get the “dip5h1ts” playing with their phones, iPods, games consoles and even watching movies… I see them and I stop, they walk into me, and then some have the gaul to accuse me of being in the way.

Although I have not done it yet the temptation to kick them hard somewhere sensitive then shish kebab them on one of my crutches is getting to the point of irresistability.

Perhps a law that would permit me to just stomp on them till they squealed –not squelched– would stop me from doing one of them serious injury from the shish kebabing they so rightly deserve…

ab praeceptis July 30, 2017 6:27 AM

@Thoth et al.

Funny. In a way dingledine signs the “actually we are clueless” declaration without even understanding it.

He knows x% of the node or whatever people? Nice for him but utterly irrelevant.
He’d vouch for them? And nsa spooks vouch for surveillance being the best thing for the citizens right after sliced bread. Plus: that’s irrelevant.
Etc. etc.

The problem with both tor and dingledine is this: security isn’t based on “humpty dumpty bang bang” incantations or other social vodoo. It’s based on proper analysis, proper design, proper crypto, and proper implementation. And the measure isn’t “hey, they’re nice pals” – it’s logic and reason. And it’s verifiable – or not, as in the case of the tor, “secure linux distro”, and spooks swamp of questionable vodoo “security”.

His facebook hint is, pardon me, simply moronic. One might as well declare crime irrelevant because, duh, hardly x% percent are criminal while most people act legally.

Summary: That guy made an attempt at – rather blunt – social engineering. Let his musings be discussed on reddit. Here we have another topic: security.

@Clive Robinson, Rachel

I’m strongly opposed to any laws against using smartphones (or even blindfolding) while walking. Reason: Such laws would hamper the process of natural selection. In fact, I’m all for opening many covers of manholes on sidewalks.

EMP Pulse Suggestion July 30, 2017 7:02 AM

Re: War Footing
With million of lives nearby at stake, powerful EMP pulse weapons would drastically limit retaliation.
The follow-on phases can proceed within minutes…

JG4 July 30, 2017 7:36 AM

all models are wrong, but some are useful. the particular model behind LTCM won a Nobel prize, but their wipeout almost took down the financial grid.

the key to success is understanding the limitations of your models. Clive has done an excellent job of explaining the limitations of various models (e.g., TOR) again and again. to be fair, the Black-Scholes model almost certainly was applied incorrectly, but there also were errors in modeling of risk, which is the substantially same thing as models of pricing statistics. it is quite difficult to make sound business decisions where the time value of money is set by liars, thieves and murderers. in Austrian economics, the time value of money is a signaling mechanism from savers to businesses about future demand. distorting those signals via non-market mechanisms essentially is the same thing as disseminating fake news. I forgot to include these yesterday:

Fake News

How CGI, AI will empower ‘fake news,’ make it harder to tell if videos are real Business Insider (resilc)

A Fake-News Warning From a Former Propagandist Bloomberg. UserFriendly: “Sigh.”

Kakutani, Risen among 100 NY Times buyouts New York Post. The debasement of the Grey Lady continues. Maybe they’ll rehire Judy Miller.

here’s todays crop. I’m including the space link because I realized yesterday that offering satellite launch service creates an opportunity to inspect and modify the encryption hardware. that was discussed a lot in the late 1990’s when a failed Chinese launch of a US satellite had the encryption module go missing. the theme of today’s commnts is “quality of information/signals”


China’s quest to become a space science superpower Nature

486 face punishment for links to China’s fake research paper scandal SCMP

Police State Watch

34 criminal cases tossed after body cam footage shows cop planting drugs Ars Technica

…[further proof that the FBI are dirty]
Judge balks at FBI’s 17-year timeline for FOIA request Politico

Hackers break into voting machines in minutes at hacking competition The Hill

Imperial Collapse Watch

Measuring up US infrastructure against other countries The Conversation

Big Brother IS Watching You Watch

Apple Removes Apps From China Store That Help Internet Users Evade Censorship NYT

Trump Transition

Tillerson Mulls Closing War Crimes Office American Conservative

Clive Robinson July 30, 2017 7:56 AM

@ JG4 and others with an interest in alternatives to coal and nuke energy,

You might find this articles from the UK’s Guardian about Al Gore and his new film of interest,

Unsurprisingly the Koch Brothers get a dishonorable mention, as does Trump and UK PM Therese May. Also Bush and Putin and one or to other well known names.

++INGSOC July 30, 2017 8:03 AM

@thoth, more manipulative quasi-reasoning, in this case labeling, to wit, ‘fanboi-ism,’ defined for your purposes as any statement inconsistent with the Beevis-and-Butthead Golden Stickers huhhuhhuh-huhhuhhuh-huhuhhuh ridicule campaign, which to be fair was funny the first four hundred times or so.

Better 2nd try at 02:33. Arbitrary state interference with Tor is an inductive question, since it may or may not be succeeding at any given time. But the notion that acting to defend your privacy just gets you in trouble, or flagged, or something vague and ominous, that’s just standard cop-level scare tactics.

The fundamental thing that makes you come off like a government propagandist is the fixation on impugning elements in isolation. When you know that reliability is a complex function of parallel and serial components, and that complexity can work for you or against you. When you know rational persons use multiple social and technical privacy protections in diverse combinations. It may not be bad faith, maybe it’s just ego-involved debate stuff, but you’re talking like nobody knows that assemblages have emergent properties, so it won’t occur to them if you don’t say so. That can either be dishonest or dumb. Either way it fails to make the case.

Clive Robinson July 30, 2017 8:20 AM

A couple of links that may be of interest,

Did you know that the father of information theory, Claude Schannon, also had an interest in using physics to predict where the ball on a roulette wheel would land? Or that he and a graduate built what is possibly the worlds first wearable computer to exploit it?

I have an interest in satellites especially micro or CubeSat satellites that get used for scientific tests and act as radio realays for those ordinary citizens who hold Ham / Amateur Radio licences. Well things have got smaller such as large postage stamp size some call NanoSats,

Fun as they sound, you have to remember they are moving at a similar speed to flakes of paint that have shot through the aluminium skin of other space vessels, so they are potentially quite deadly.

Wael July 30, 2017 9:23 AM

@Clive Robinson,

Or that he and a graduate built what is possibly the worlds first wearable computer to exploit it?

Possibly true. But their computers can’t match Narnia and George developed by Kieth Taft. Shannon and Thorp surpassed Taft in theory, physics and mathematics, but they were no match to Kieth Taft’s electronics wizardry and innovation in the field.

Only Narnia would fair well against the rigged shufflers of today. I hinted at that to @ianf a while back, then again here, but he didn’t bite! If you play at casinos, you are being cheated, and legally so. Because regulators aren’t well versed on how Random number generators work, or more importantly: how the random output is used! Either that, or they’re in on it. All you have to do is search for patents of a famous shuffled brand 😉

so they are potentially quite deadly.

Fascinating topic! Learned a few things (and a couple of new words.) So long as the sprites are lower than 400 miles, it’s all good – so they say!

Scientific American and Discover were my two favorite publications until the mid nineties.

Hartmut Hopp July 30, 2017 9:34 AM

The ‘golden stickers’ animus could be based on a particular set of occupational blinkers. Ab proboscis, as the most articulate advocate, makes it clearest. Joanna Rutkowska distinguished at least three approaches to security: correctness, isolation, and obscurity. Ab proboscis is the apostle of fundie correctness. Correctness would certainly be nice. But Rutkowska, taking the pragmatic approach of a person for whom the computer is a means and not an end, has looked at the world as it is today and chosen to compensate for deficient correctness with isolation and obscurity. That may be why Snowden, who was pragmatic enough to make fools of the NSA, has chosen to make use of it. Let us hope, for his continued survival, he uses it judiciously and supplements it and complements it and tinkers with it to make its many weaknesses idiosyncratic and harder to exploit. As everyone knows, it would be dumb to rely too much on any one technical expedient.

That brings us to the strange part of this reasonable insistence on correctness: the name-calling. Fanboi-ism, humpty dumpty bang bang, incantations, social vodoo. No matter how much you make fun of them, people are going to defend their right to privacy and association and information and expression. What purpose is served by ridiculing a caricature? That line happens to support DoJ’s propaganda campaign of scaring people away from all technical privacy protections. It raises the question, Whose side are you on?

Humdee July 30, 2017 10:07 AM

Re: Tor

I’m unclear on what Roger’s actual point is. If there are only a few hidden services and thus the “dark web” is in fact non-existent then (a) that is very bad for Tor generally because hidden services were one of the main motivating factors for keeping Tor going after the US Government “abandoned” it. Seriously, come on Roger, do you really mean to suggest that whole game plan all along for Tor was to serve as super secret backdoor into FACEBOOK??!! Or maybe Roger means to imply that while maybe Facbebook isn’t the past it’s the future so everyone should be prepared to kiss Mark Zukerburg’s ass as he runs for President? (b) and if any of those are the case what the hell is the team doing on their much vaunted work to improve hidden services so that they actually work? Is this more frosting on the cake to make the honeypot sweeter?

Reading between the lines what I hear Roger saying is: “people, relax, you don’t have to worry about Tor because under my leadership we messed things up so badly the whole project has failed its mission.” OK-DOH-KAY. If you say so Roger.

ab praeceptis July 30, 2017 10:18 AM

Hartmut Hopp

How immensely funny you are! Maiming my nick and using for yourself the name of a colonia dignidad sadist who is accused i.a. of child abuse. How cunning. Of course that lends lots of credibility to your trying to paint me as an nsa affiliate. Or not.

Unfortunately, you are less smart wrt. security. “Isolation” as a replacement for correct software? Didn’t it strike you that isolation must be based on safe code, too, to work?

Plus an attempt at argument by authority. Rutkowska who all but abandoned the oh so great and secure and game changing project – I’m impressed.

Bend it any way you like, fact of the matter is and stays that IT safety and security are vitaly depending on verifiably correct underpinnings and building blocks. Without that you can incantate your “Rutkowska! humpty dumpty bang bang” all day long in vain.

Have a nice day in your voodoo temple

Thoth July 30, 2017 10:40 AM

@ab praeceptis

We need Voodoo Stickers too besides Golden Stickers !!!!

Next Hoilydays inspiration would be Voodoo doll themed !!!!

It is funny that isolation would do the trick and we have a ton of so-called “security isolation” and one very good example is ARM TrustZone especially the Qualcomm’s QSEE implementation of the TZ. Yes it does “security isolation” and all that TZ Voodoo and what we have up till now is still holes in QSEE’s “secure isolation” mechanism.

I believe @Ben A posted a news on the TZ exploit news in the first post above and I have refused to answer since I see no point in discussing it here these days. We can try to raise awareness of the problems we discover or noticed but nobody cares and some might even start calling us out. Not worth the effort.

Let them continue uninterrupted in their Voodoo Golden Stickers dreamland.

Ergo Sum July 30, 2017 11:06 AM


Must admit I am NOT sure where you are going with, “securing the client devices and authentication servers is not likely to take place anytime soon”. What’s that about? How does one secure a device, other than by password and pin?

I was referring to the historical, current and future security/vulnerability of the client devices and the authentication servers. This includes operating systems, applications and the hardware in itself. Patching these is like a “whack-a-mole” game, as soon as you do one, there’s another patch that you’ll need to install. Open or closed source software makes know difference when it comes to vulnerabilities, it never did.

And here we are looking for secure authentication, when the platforms in themselves are not secure. These vulnerabilities allow program logic errors, buffer overflows, man-in-the-middle, or its derivative of the man-in-the-browser, based attacks that can circumvent any authentication method, including SecurID, PIN, biometric, etc. In my view, implementing secure authentication should start with securing the platform first. In which case, the password based authentication could be just as good as any other type of authentication. There’s a reason why password had survived any other authentication methods…

I am going to jump in here with a thought that seems to have zero traction. My thought is governments and corporations everywhere are secretly and literally stockpiling usernames and passwords in the name of security and profits.

I doubt that beyond the authentication servers on hand, there’s an active effort from either parties to do that. Especially, when more than a billion stolen UID/PWD available on the web for download.

Hartmut Hopp July 30, 2017 11:33 AM

A+ for googling your new nemesis (knew you would!) another sort of stereotypical Tor user.

However, citing Rutkowska is not argumentum ad verecundiam. She’s not an authority, she’s an example of how engaged users go about their business. So in dismissing her, you assume away all the actual human rights defenders who can’t wait for your EAL 8 utopia. What exactly do you do for them, other than making fun of them?

Thoth’s very good suggestion of OpenBSD-Tor is a case in point. Why hasn’t anyone put an iso up on github? Where are the OpenBSD Qubes templates to go with the unikernel firewalls already in place? OpenBSD is a pain in the ass. The features of OpenBSD that make it catnip for hobbyists make it useless for civil society. That’s because if your starting point is not human security, all this perfectionistic work is pointless wanking.

Clive Robinson July 30, 2017 12:50 PM

@ ab praeceptis,

I’m *strongly opposed* to any laws against using smartphones (or even blindfolding) while walking. Reason: Such laws would hamper the process of natural selection.

I don’t care if they make it illegal or not, jay walking laws have not stopped jaywalking.

What I want is like a “stand your ground law” for anyone the varmints walk into, and then have the gaul to blaim the person who was not beying a jacka55.

Obviously I don’t want a “throw them under a bus” law, because that has other side effects. Just a law that alows me to take a bit of indignant action to make them realise that,

A, they were being totaly gormless.
B, that gormless behaviour can hurt.

Though I do like the idea of open manhole covers, and perhaps a few low hanging branches or signs.

If they don’t get feedback that certain actions are not to be taken, then there is no incentive for the gormers not to do them. There is that old saying about “Children and fools should not play with sharp edged tools”. Whilst I would not wish to lop off their texting finger perhaps a little twisting to give a sharp reminder, much like the old story about children and hot things. After all it is the T sensor that indicate pain when we over reach and cause the autonomic snatch back/drop action is we touch something hot. Obviously it follows that pain is part of the natural learning process for dangerous activities. So why should I not administer a little pain to a gormer that walking into a six foot six guy on crutches is not a risk free activity.

Oh and the reason for pain not removal from the genetic pool is so they can show their injuries to their friends who are just as likely to be other gormers and hopefully they will learn with out me having to go to the effort of teaching them the hard way.

CallMeLateForSupper July 30, 2017 1:07 PM

I am shocked! Shocked!, I tell you.

“… surplus voting machines (purchased in secondary markets like Ebay) were made available to security researchers… [Defcon] organizers revealed that many of these machines arrived with their voter records intact, sold on by county voting authorities who hadn’t wiped them first.”

“The [Defcon hacking] team plugged in a mouse and a keyboard — which didn’t require authentication — and got out of the voting software to standard Windows XP just by pressing “control-alt-delete.” The same thing you do to force close a program can be used to hack an election.”

“Defcon vote-hacking village shows that ‘secure’ voting machines can be broken in minutes”

Milo M. July 30, 2017 1:13 PM

Sometimes technological advancements are due to less celebrated persons.

Story of four US Army enlisted men who derived the blackjack strategy later used by Thorp:

“Roger Baldwin, Wilbert Cantey, Herbert Maisel and James McDermott — long known by blackjack insiders as the nearly mythical ‘Four Horsemen’ ”

Cantel obituary:

Their paper:

Roger R. Baldwin , Wilbert E. Cantey , Herbert Maisel & James P. McDermott, “The Optimum Strategy in Blackjack,” Journal of the American Statistical Association, Volume 51, 1956 – Issue 275, Pages 429-439

Earlier article on Thorp, Shannon, and their computer:

Thorp, “The Invention of the First Wearable Computer”

The paper:

ab praeceptis July 30, 2017 1:28 PM


Uhm? Me bewildered. I always assumed that golden stickers are voodoo stickers, albeit glorified ones.

So, I was wrong, and my “awsomely sakkure system” running in a browser plugin running on lisux-d is not secure with golden stickers alone? I need voodoo stickers, too? Me shocked! I had expected min. 115% bulletproof sakkurity from your cards.

@Clive Robinson

Allow me to guide your attention to the proposition that doesn’t hold -> “they will learn”.

A quick look at a vulnerabilities ticker or db seems to strongly support my doubts.

Another Nick July 30, 2017 2:16 PM

After 2000+ years going at it, the smart bulbs should know that only love – and education- can save us. Hatred should be outlawed.

Peace and cryptos to all!


Gerard van Vooren July 30, 2017 2:34 PM

@ Thoth,

The reason why OpenBSD hasn’t been used as the basis for Tails if probably political. OpenBSD is “OS non grata” in the US since the remarks of Theo de Raadt about the Iraq war. He was right of course but that doesn’t matter. OpenBSD got black flagged. Since Tails is a US gov financed project they just aren’t allowed to use OpenBSD.

That’s my idea.

Gerard van Vooren July 30, 2017 2:59 PM

And why OpenBSD hasn’t been used in Qubes is pretty easy. At the time that Qubes started OpenBSD didn’t have virtualization.

Clive Robinson July 30, 2017 3:04 PM

@ Wael,

So long as the sprites are lower than 400 miles, it’s all good – so they say!

Err no it’s not good, but it is reasonably predictable, which is second best by a long way but usable.

Put simply, at 400miles or less there is sufficient atmosphere to have significant orbital drag. Thus the orbital time is short and measured in weeks not years, and the number of orbits is likewise limited. Which means any accumulated error remains small, and they know where they are so they warn the appropriate people so they don’t launch a rocket through their their orbit. Hopefully avoiding all that is up there.

Further if there is a Collison and lots of debris, it to does not have time to cascade out before it burns up.

I suspect we will see two or three new “prefered orbit” hights below Low Earth Orbit to alow for experimental satellites like these NanoSats / sprites. The lowest of which will be for vanity / CV satellites designed by grads and post grads so they have a project they can talk to prospective employers about. Such projects will be collaborative between different faculties such as aerospace, electronic engineering, physics. The data collected will have real research value but will only be for a short lived period.

Just to show how daft it could get there is no reason you can not strip the guts out of a modern celular phone, replace the radio with something more appropriate and stick it up in orbit with a bar magnet or similar to stabilize it. You would need a mechanism to flip out a couple of solar panels but that is not realy any more dificult than for a coiled wire UHF dipole antenna. The odds are better than even that the electronics would still be OK after a year in low earth orbit. Most modern phones have two cameras which point at ~180 degrees to each other. The lower resolution camera would probably be sufficient to take “Star Sights” to reasonably accurately identify what point on the earth the other camera is photographing. If you replace the lense on the earthwards facing camera you could get night time near IR photographs of earth. Thus 500-1000USD of hardware. But youl’d still be looking at many times that in launch costs (~ 4000USD/Kg of total weight on the pad, plus a heap of other fees, licences, duty etc).

However the sprites / NanoSats are around 30g, you still have the launch and deployment hardware to consider. But a casset style launcher, or even heaven forbid one that works like a light weight “clay pidgen” launcher could be made with well under a Kg of materials. So you could be looking at launching a sprite or NanoSat for as little as 200USD each, if you know how to avoid the other fees. Which kind of makes student satellite projects viable.


ab praeceptis July 30, 2017 3:34 PM

Gerard van Vooren

Indeed, that (no virtualization yet) was one reason. Another reason which is at least very highly likely, is that the gov. – like pretty much always (see e.g. tsa) – doesn’t want (or at least not provide) real security but rather security theater; it’s not about security but about making people feel secure.

After all, it would be rather strange when the worst of all eavesdropper and cracker of all, the state, would provide real security to it’s citizens.
And why should he? Most seem to be perfectly happy with some theater and feeling safe.

albert July 30, 2017 3:42 PM

@Rachel, etc.

Re: ‘texting walkers’: I’m not a fan of texting and I avoid it whenever possible. The advantage of having text data on ones phone can be useful, but is overshadowed by LE/IC love affair with having all that data in machine-readable form. Voice can communicate more information in a very short time. I found that some ‘social engineering’ can reduce the amount of BS texting by not responding immediately, if at all. Note: Caution might be required if the textor is your loving partner/spouse. In my case, there’d be the Devil to pay, so to speak.

You might try (just for laffs) carrying one of those compressed-air-powered horns that sailors use. They can be quite small, but -really- loud. You could rig it inside a bag, so it’s invisible to others. Another possibility is a hat with a forward-facing flashing light. It needs to be made for daylight use, that is, extremely bright.

. .. . .. — ….

JG4 July 30, 2017 6:14 PM

was this posted last weekend? it’s quite a story

I knew that Thorp was in Boston on the MIT campus at some point (maybe because one of his coauthors was there), but I missed the fact that he rubbed shoulders with Shannon, Feynman and Buffett, until last week. There was a good book about the kids from MIT who taped wads of $100 bills to their bodies to fly to Vegas. That was much more recent than Thorp’s work, but clearly part of the same intellectual lineage.

I must have missed the discussion of Taft in 2015, because I would have offered two books by Thomas A. Bass, “The Eudaemonic Pie” and “The Predictors” I remember both being entertaining reads, even though I read the first about 25 years ago and the second about 10 years ago. “Just say no to 8u1154it” Not sure why I think that I’ve mentioned those books before. It could have been under my previous names. I think that there were only two that evolved, John Galt III and John Galt IV, which I eventually abbreviated. It will be easy to see that I’ve become somewhat less rabid in recent years.

There is little to worry about the boomers rioting over health care and pension payments, because the firehoses are so effective at knocking over wheelchairs.

tyr July 30, 2017 7:23 PM

@Clive, Wael

How hard would it be to make a cell
phone that won’t work while in motion?
If it detects you walking it stops
working. IF the GPS senses motion
it stops working. Instead of laws to
stop stupid behaviors make the tech
to make it impossible. Suddenly the
streets are safer for pedestrians
and other drivers. No longer dependent
on political morons to fix the tech,
we all can get back to playing Paranoia.

You can easily sell this to capitalism by
explaining they are losing valued customers
with the death of every cell phoney.

I see some have noticed that D T watched
a lot of Moussolini newsreels for pointers
on body language and gestures. : ^ )

Hiker Britches July 30, 2017 7:33 PM

@ albert, Rachel, Clive Robinson :

one of those compressed-air-powered horns … hat with a forward-facing flashing light.

For a lot less weight to carry around, trail hikers use little whistles that can be heard for miles if blown hard. Besides their come-rescue-me primary purpose, they make great anti-rape whistles that can stop a big, strong attacker without violating weapons laws. Blown more gently, they might say “Look up from your fondleslab and get out of Clive’s way!”

Wael July 30, 2017 8:03 PM

@tyr, @Clive Robinson,

[…] If it detects you walking it stops working. IF the GPS senses motion
it stops working.

Right on! Enforce rather than delegate (or regulate.) I’m an advocate of that. Isn’t gonna happen, though!

Wael July 30, 2017 8:27 PM


I must have missed the discussion of Taft in 2015, because I would have offered two books by Thomas A. Bass, “The Eudaemonic Pie” and “The Predictors” I remember both being entertaining reads…

Well, you could still do that! No rule that says you can’t post to old squid threads; I do that all the time. Taft’s book is really fascinating. A recommended read. The engineering problems he faced and solved are impressive (software, hardware, control systems, RF and antennas, digital and analog…) I may read the other books you recommended, just not sure when.

Wael July 30, 2017 8:37 PM

@Milo M, cc: JG4,

Story of four US Army enlisted men who derived the blackjack strategy later used by Thorp:

Thorp’s research is based on a single deck that’s “randomly” shuffled. His work was extended to multi-decks. However, nowadays the shuffle is anything but random. Basic strategy won’t work. Card counting won’t produce the expected results either unless you are part of a very well funded team with replenishsble bankrolls that can sustain protracted heavy losses. Even then, winning isn’t guaranteed. It’s not like the designers of these shufflers don’t know about basic strategy and card counting! They employed some very sophisticated algorithms that )

Besides, there are other secrets. Perhaps I’ll share one day 🙂

not the brightest bulb July 30, 2017 9:38 PM

Running a Tor Relay on an Apple computer is relatively straight forward.

Yes this will probably attract scrutiny, but so might searching for the word tor, visiting or reading a linux journal, or visiting

After Trump was elected, I figured this is the least I could do. With China and perhaps Russia banning tor and VPNs and the Snooper’s Charter in the UK, etc., things are trending down.

Anyway, draft, as-is, instructions for a tor relay (neither exit node nor bridge) on a MacIntosh from the command line

As admin:
Step One, Step Two, and Configure Tor as a Relay as found in

Step One
Download and install Xcode and MacPorts

Step Two

Configure Tor as a Relay

Sample torrc

#modifications to torrc; use at your own risk
ORPort 9001
ExitPolicy reject : # no exits allowed
Nickname ididntedittheconfig
Log notice syslog
Log notice stderr
RelayBandwidthRate 400 KBytes # Throttle traffic
RelayBandwidthBurst 400 KBytes # Throttle bursts
AccountingMax 20 GBytes # each way per period
AccountingStart day 00:00 # day period starts at midnight
SOCKSPORT 0 # relay only

usage tends to be about 4 Gig in and 4 Gig out per day with the above settings; around 240 Gig/Month total

Finally, allow incoming connections to tor through your firewall, if prompted.

As standard user:
watch Terminal feedback and Activity Monitor feedback periodically
titrate by doubling or halfing Bandwidth (also adjust AccountingMax) based on your ISP plan; you may find actual usage is fairly linear within a range
optional: use computer or network for other stuff too, of course

Figureitout July 30, 2017 10:37 PM

RE: tor discussion
–As we’ve discussed a million times, just using some tool won’t be a magical silver bullet. I think Tor says this themselves, so I don’t see the point of the argument…Thru some identifying stages (if you’re really good, you can avoid even this for most part, but I think it’s impossible to not show up on some radar these days, too much surveillance), you should be able to get yourself to a point that you can make a connection to the internet that’s mostly devoid of PII.

Unfortunately these discussions involve little evidence and devolve into name-calling bar-room brawl-type talk. One nice of piece of evidence that Tor has worked to a degree is this powerpoint:

Whatever you use anonymity for, hopefully it’s a good purpose, not scummy. My main purpose was escaping grasps of attackers terrorizing my life, for brief periods of time. I don’t really have a use for it anymore, like any truly secure workstation it had to be ever-changing, mobile and under the control of a truly paranoid being. Most of my security and homebrew projects I post fully online. I want employers to see my paid work to show them what I can do but can’t.

Clive Robinson July 30, 2017 11:51 PM

@ tyr, Wael,

How hard would it be to make a cell phone that won’t work while in motion? If it detects you walking it stops working. IF the GPS senses motion it stops working.

It’s conceptually simple but practically hard, very hard, and there is no way to make it reliable in action in human terms.

To see why invert the premise and make the operating function a counter. Such a product exists and is called a pedometer. Untill recently there was no point in cheating a pedometer because there was no value in doing so. However insurance companies have changed the game and there is now value in cheating a pedometer by way of reduced –normally way over priced– health care policies.

With the advent of an incentive to cheat a pedometer lots of inventive minds have got to work. In effect the insurance companies have stupidly invented an arms race they can not win. People will think up simple ways to cheat those pedometers, the insurance companies will think up counter measures to catch the cheaters and so that loop goes around each time some cheaters will find a method to beat the counter measures. We’ve seen this before with ECM / ECCM / ECCCM and commercialy with the subscription service Sky Satellite Broadcasting.

Mean while the insurance companies get locked into a second ECM war with other insurance companies playing “follow the leader”. Worse by legislation (Obama Care) every citizan has to have health care insurance… You can see where that is going to go, as was said in the film, the only sensible move is not to play.

Flipping the premise back up you will see that if their is “wriggle room” then people will cheat the system because they see value in doing so. But worse still if only one company put in an anti-walk-n-talk option it would quickly go out of business because such a feature has “negative value” for a purchaser.

Thus the only way to attempt to get it would be by legislation, which will fail as reliable technology does not yet exist. Which as we know with “Smart Guns legislation” is likely to have a perverse effect on the manufacturers. That is they will find ways to ensure the idea never becomes reliable, so never gets put on the market to become a legislative market killer…

The problem is there is two much wriggle room, and two or more types of movment detection required thus there will be not just edge cases but corner cases, and each attempt to improve detection will double up at minimum the number of courner cases and more for the edge cases.

The two current movment detectors are tuning fork gyroscopes and satellite position fixing (GPS). Neither is reliable or even suitable for the application. GPS is slow and has an inacuracy margin short term greater than you would get with walking or dancing. You could average out by integration but to tell the difference between ordinary hand body movment whilst sitting or standing will require a long integration time. Likewise the gyroscopes have a sensitivity issue in that they are “band pass” detectors and will not detect absolute position, as movment above a certain speed or below a certain speed will either not register or will register inaccurately.

I could go on at further length but I think you both know enough to fill in the rest for yourself.

Inside Threat Model July 31, 2017 3:09 AM

It makes perfect sense to anyone alive, why dragon is a popular password for 2016.
I don’t even watch television and I can tell you about a cultural phenomena known as “Game of Thrones”…

JG4 July 31, 2017 6:13 AM

I forgot to say that The Eudaemonic Pie tells the story of a group of students who built wearable computers to beat the casinos at roulette. They put a lot of work into the effort, but only transiently made money. Later some of them went on to found The Prediction Company, which used pattern extraction/recognition to beat the markets.

I have the impression that Wall Street in the 1990’s hired the best and brightest of a generation of physicists to build adaptive systems for computer trading. Today most of the stock volume is the descendants of their machines arbitraging frctions of a penny per share. The machines have to adapt to each other and to what is left of the human market. High frequency trading is part of the mix.

The machines practice system identification on each other and on the humans, by spoofing bids to measure the response. The first time that I remember realizing that you could do system ID on humans was in the late ’80’s or early ’90’s when I noticed that some prices in the grocery store seemed to change randomly over time.

Big Brother IS Watching You Wtach

While you’re watching Disney’s films at the cinema, Disney can now watch you Quartz. It’s enough to make me want to don a mask the next time I go to the cinema. Guy Fawkes? King Kong? Groucho Marx? Yogi Berra?

We Can’t Live in Fear of Our Own Intelligence Community American Conservative

Google’s new program to track shoppers sparks a federal privacy complaint WaPo

Ergo Sum July 31, 2017 7:38 AM


Google’s new program to track shoppers sparks a federal privacy complaint WaPo

The WaPo link for the article:

WaPo’s initial article on the subject was in May with more details:

In related news… Just last week, I’ve received a privacy policy change notice from the credit card company. The brunt of the changes is about sharing my data affiliate and non-affiliate entities, data such as:

  • SS# and employment information
  • account balances, transaction history and credit information
  • assets and investment experience
  • joint marketing with other financial companies

Since this is in the US, one needs to opt-out not to share his/her information. Opting out isn’t made easy and one cannot opt out from all of the sharing.

Cash it is for me for most of my purchases….

Dirk Praet July 31, 2017 7:43 AM

@ Figureitout

As we’ve discussed a million times, just using some tool won’t be a magical silver bullet. I think Tor says this themselves, so I don’t see the point of the argument

The nail on the head. It has already been pointed out a million times – both by myself and others, on this forum and in other places – that Tor will NOT protect you from resourceful nation state actors because of a whole series of defects and shortcomings. Even the Tor people themselves have never ever said otherwise. It is just one of many (free) tools that allows you to surf the web in a somewhat more anonymous way than standard browsers do. The elevated degree of protection it offers against ubiquitous data collection to me in itself is already enough reason to use it.

Still there are those who for reasons I just can’t fathom keep flogging the dead horse. Giving people concerned with privacy and anonymity a choice between just giving up and reverting to Safari/Internet Explorer, or rolling your own CLI browser in ADA and running it on Plan9 IMO is a pointless and entirely useless argumentation that is not helping anyone.

ab praeceptis July 31, 2017 8:12 AM

Dirk Praet

(Besides the fact that I wouldn’t consider Plan9 as secure…)

It seems to me that you overlook four points.

a) Here we are in a security blog and hence our perspective is quite different from any Jane and Joe site (where I wouldn’t engage in saying what I think about tor).

b) Joe and Jane, when wishing to enhance their situation won’t say “I’ll brush up my math and learn a whole lot to make an informed decision” – nope, they’ll act based upon what the next best magazine is telling them, which more often than not will come down to sth. like cubeos is a magical silver bullet and so is tor.

c) The danger of erroneously thinking one is secure. It’s always better to know the reality even if it’s ugly and frightening. erroneously believing to be secure when using xyz is making things worse, not better. Moreover, using tor can wake up sleeping dogs, paint a target on your, and generally turn against you.

d) Your mainboard is rotten (e.g. tpm, amt), your OS is rotten, your libraries are rotten, your browser is rotten – and the same goes for the endpoint at the other side as well as the nodes en route – and you seriously think that putting rotten tor on top of that somehow enhances safety and security?

My advice: apply Amdahls law, with a slightly changed perspective for security rather than performance.

Clive Robinson July 31, 2017 8:58 AM

@ Moderator,

I made a reply to Figureitout around 2AM blog time. I’v just noticed it’s not hear. Did it get caught or have I posted to the wrong place?

Moderator July 31, 2017 9:07 AM

@Clive, two identical comments addressed to @tyr, Wael were posted one after the other. I don’t see a reply to Figureitout.

Clive Robinson July 31, 2017 9:40 AM

@ ab praeceptis, Dirk Praet,

It seems to me that you overlook four points

There is a “point zero” you’ve left out,

0, Humans are born helpless.

Mankind is unusual for the type of creature we are, our offspring are born capable of very little, and spend the rest of their lives –if they are sensible– learning.

I’ve been known to take an absolutist view on security in the past and in some respects I still do.

However even though I myself take security precautions others would consider totally over the top if not paranoid. I still know I’m lazy in many OpSec respects.

The problem is it’s difficult even for someone who is close to clinical paranoia to live at high OpSec levels without crashing and burning or worse going over the edge into full scale psychosis[1].

Thus I accept that it’s an exceptional person who can live like that for even short periods of time even with extensive training and aclimatisation experience.

Whilst I would not want people to give up in despair, I recognise the experience curve whilst starting gradually can appear vertical at times. So not insurmountable but requires training and equipment etc.

Further I also know from long experiance that the level of OpSec / security required varies depending on situational requirments. When things do go wrong is when there is a mismatch between situational requirments and OpSec / security employed. Interestingly many do not realise that being over secure and employing to much OpSec actually is more harmfull in the short term than to little that tends to be harmfull in the long term.

Thus I would rather people start gently and take their time developing their skills than try and jump in at the deep end flounder and drown.

Rome was not built in a day nor did it die suddenly, it’s partial demise was due to the inability of those in charge to change to changing situational requirments. However some did learn which is why we have the likes of the Holy Roman Empire.

[1] I use the dictionary definition of,

    psychosis : A severe mental disorder in which thought and emotions are so impaired that contact is lost with external reality.

Rather rhan the ICD10 F29 definition,

Rachel July 31, 2017 10:09 AM

@ Wael

i have read an autobiography of one of the MIT Vegas savants. I’m not sure if it is definitive. Methods in the book have been altered to prevent the author getting killed by the crew he used to roll with. From memory its largely interesting by detailing the social engineering employed by both casinos particularly when they start feeling nervous about certain patrons, and by the gang themselves – being clever alone will get you deaded pretty quickly, in that world clever must be wrapped in something. It’s in a ‘Çatch Me If You Can’ vein. It doesn’t get technical at all. The story tapers out with the author succumbing to horrific levels of gambling addiction and ends up in recovery groups broke and soul less.I am sure Clive would make similar observations for anyone considering such a career.
I’m sure you’ve got more useful things to read although it will be interesting for some with specific interests I suppose
There have been a few intriguing characters in that world though. I recall one who won serious sums of money,but no one quite knew who he was. the various investigators employed by the casinos sought him around the world for a long time and became interested when it appeared he had dropped some fragmented PII.
after many more months of investigation and piecing it together said PII was of a famous gambler from over 100 years prior. at which point they realised it was hopeless.

CallMeLateForSupper July 31, 2017 10:13 AM

“How hard would it be to make a cell
phone that won’t work while in motion?”

Let’s just say, “Not easy”. A question that you should consider is, “How hard would it be to sell a cell phone that won’t work while in motion?”

citizen: There’s been a car crash in front of my house.
911 operator: Is anyone hurt?
citizen: I don’t know… it just happened. I’ll go see. Hello? HELLO?

Six and seven years ago I experienced distracted walking countless times per day, every day, while cycling for exercise on a local MUP (multi-use path). Read “mixed, pedestrian/fast-mover traffic”. By far the root cause of the threat to pedestrians was their own lack of situational awareness. Plant ear buds; select play list; mentally go to la-la land and ignore their surroundings. After a pedestrian pulled a fast U-turn without looking, putting herself into the path of an overtaking cyclist and getting knocked to the ground, the town put its foot down. Pressure pedestrians to share responsibility for their safety? No, not a word about that. Impose a speed limit. I don’t ride there anymore.

ab praeceptis July 31, 2017 10:23 AM

Clive Robinson

I get your point and agree.


  • My question is not whether Jane and Joe are somehow huilty; I’m not a judge. As far as I’m concerned, they may well type their stuff in ms office and send it by email, possibly “protected” by zip-passwording it.
  • Unlike Jane and Joe “security” projects should be held to good standards and accountable. They should frankly say that the very best their stuff can hope to achieve is to be a ridiculously tiny bit more secure – and, importantly – that, due i.a. to poor software design, spec, implementation, the end result for Jane and Joe might well be less security.
  • My interest is driven by the question how we can really achieve safer and more secure systems and communications. In that sense I not only forgive Jane and Joe but even pity them – seeing BS being spread here or in other security circles, however, makes me furious.
    Frankly, there are plenty computer magazines, fora, and blogs that spread BS and fairy tales like cubeos or tor significantly enhancing security. We don’t need any more of that here.

I mentioned Amdahls law because, while originally looking at performance, it’s quite simple and can make statements about security as well. And it does so in a quite clear way.
What’s the performance enhancement in the original version for us is the safety/security (or even just reliability) enhancement.

Considering AL as one of diminishing returns we also discover that a non-neglegibly small enhancement of safety/security can only be achieved by (considerably) enhancing RSS (reliability, safety, security) of major parts of the software stack. It seems quite evident to me that this directly leads us to the question languages and formal methods (which is why I push that issue again and again).

Another very strong hint is empirical: crypto very rarely gets broken; it’s simply circumvented by (ab)using some of the utterly rich set of weaknesses and vulnerabilities.
Which can be directly translated to “the effective security gain by indeed excellent crypto frighteningly often equates to null”. Reason: No matter how good your doorlock is if your door is built into a house made of wobbly paper.

Dirk Praet July 31, 2017 10:28 AM

@ Clive

I’ve been known to take an absolutist view on security in the past and in some respects I still do.

There is nothing wrong with taking an absolutist view on security, especially with your (astounding) knowledge and expertise. Imposing such a view on others that don’t even know where to begin is an entirely different cup of tea.

@ ab praeceptis

Here we are in a security blog and hence our perspective is quite different from any Jane and Joe

Not every visitor of this blog is a subject matter expert. It’s called “Schneier on Security”, not “Schneier on Security – Certified Experts Only”.

Joe and Jane … ‘ll act based upon what the next best magazine is telling them

If we keep this blog accessible for Jane and Joe too, then perhaps they’ll learn what are the correct tools for what particular purpose instead of blindly relying on whatever some glossy magazine or other media source is telling them.

erroneously believing to be secure when using xyz is making things worse, not better.

No argument there. And the exact reason why it doesn’t make any sense to preach an absolutist view. Educate people. Get them from A to B in a way they can comprehend. And then further. Not from A to Z in a way they can’t either understand or execute.

you seriously think that putting rotten tor on top of that somehow enhances safety and security?

As long as you take that absolutist view, then everything is futile and no one but yourself, @Clive, @Thoth, @Nick P, @Figureitout and a few others have any business here. I’m not convinced if that’s really what @Bruce had in mind when he started this forum.

Wael July 31, 2017 10:35 AM


i have read an autobiography of one of the MIT Vegas savants.

Try to read Taft’s book. You’ll find out what happened to him when he got caught (more than once, including a security related airport incident – long before TSA) There is also a fascinating story about what he did in Atlantic City. I believe this would make a movie better than the MIT crew story one (Brining the house down) which I only watched the first few minutes of. It was full of nonsense, that’s why I lost interest.

My main interest in the topic is this:
How can gaming regulators get away with this?
What type of testing was done to assess fairness?

My assessment is: the system is rigged and not only corrupted to the bone[1]: it’s bad to the bone-marrow! And that’s assuming the RNG is absolutely “fair”.

I’ll queue messing with the lyrics for another topic in the future 🙂

Clive Robinson July 31, 2017 11:04 AM

@ Moderator,

Hmm sounds like a ‘fat finger’ problem at my end.

@ Figureitout,

I will put my “memory cap” on and see if I can recreate my comment a little later (it’s rush hour in London currently, or “strap hanging” time depending on your prefrence).

ab praeceptis July 31, 2017 11:20 AM

Dirk Praet

I’m under the impression that you are politically driven. While I do see the good intention behind that, I also have a simple question:

Why not simply telling Jane and Joe the truth?

“I take you from A to B” and recommending, say, tor is largely a lie.

As you yourself say, tor will not protect against a resourceful opponent. So against whom shall Jane and Joe be protected? Against their neighbour? Against the village police officers?

The truth would be more like “I take you from A to B with A being 1.5 light years away from security and B being 0.00035 light years closer – plus, of course, it will open you other risks”

Again, I do understand your good intentions. But I also see the reality and the unpleasant fact that that very attitude has played a major role in bringing us into the swamp we’re in.

tor? (Presumably) good intentions – and people trusting it in jail or at least in serious trouble.

But the weirdness doesn’t stop there. Take the example of selinux and other “security” enhancements that come right from some of the worst adversaries! Pardon me, but in my minds eye that’s sheer idiocy.

Once more, I do understand your good intentions. The problem, however, is of a kind that needs much more and quite different to be solved. The good intentions, coming down to “meaning well and then repeating the cardinal error (of unprofessional fumbling) that created the nightmare in the first place” reminds me of einsteins famous idiocy dictum.

Also keep in mind that some opponents do the right thing! microsoft invested heavily in designing and implementing verifiably safe software. darpa and other voldemoort agencies did projects, too.

There is only one way. We must create better software (and systems). OpenBSD, doubtlessly amongst the finest C coders in this galaxy, have failed; plain and simple. If those people fail then it should be utterly obvious that we need a better approach, one that makes it feasible for good developers to create RSS software.

As for you and me, you’ll probably continue your way; no problem. But kindly accept that I continue mine, too – and I have plenty arguments in my favour.

Who? July 31, 2017 11:28 AM

@ ab praeceptis, Dirk Praet and anyone that wants to participate.

With relation to the four points overlooked by Dirk Praet. I completely agree with your points (a) up to (c)—we are in a security blog so our point of view has to be highly technical and critical, it would be a shame if it isn’t; we should not assume a technology is secure just because it is “the cool technology of the month,” and of course we should not believe Joe and Jane will understand how compromised our current technology is.

I cannot, however, agree about point (d). There are somewhat secure operating systems out there, some of these operating systems are either too expensive or too specialized as to be useful as general purpose ones, but others (OpenBSD) are doing a good work. I do not say our computing infraestructure is perfect, it isn’t, nor it is the computing infraestructure used by the intelligence community either. The key is not saying “all is lost, there is nothing we can do” but trying hard to improve the world. I agree, however, the endpoint at the other side is a key element here, but it is fixable too. With relation to the intermediate nodes the best we can do is using strong encryption, as strong and mathematically sound as possible.

I understand the problem with hardware itself. It is certainly the right target for an intelligence agency that wants to mass compromising our technology. But it seems fixable too, or at least we can (and must!) try our best to improve the current status:

  1. Some manufacturers, e.g. Dell, allow workstations and servers to be configured without Intel vPro technology; it is a logical first step.
  2. You can try mitigating the impact of a rogue vPro technology. Here I have suggested two approaches in the past, (1) using PCI network cards that are not supported by Intel AMT, there is no magic inside the Intel firmware so it cannot work with all NICs ever manufactured, and (2) blocking communication with/from AMT ports (623, 664 and 16992 up to 16995, both tcp and udp) and filtering traffic at our firewalls by means of strict rule sets (both egress and ingress), e.g. allowing communication with external web servers from a single, non-AMT, machine behind the firewall so AMT traffic cannot be “hidden” as HTTP/HTTPS traffic.

The technology is not perfect but we must try to fix it and suggest approaches instead of saying “there is no hope.” If there is really no hope what are we doing in this forum? Are we wasting our time talking about a theoretical and impossible to solve problem? It would be sad if it is this way! I prefer thinking technology is fixable, even if it is a continuous process that will never end.

My goal is not building the perfect computing infrastructure, but something good enough. In my humble opinion, each step in the right direction is a win.

Thoth July 31, 2017 11:55 AM

@Security et. al.

“The technology is not perfect but we must try to fix it and suggest approaches instead of saying “there is no hope.””

I don’t think it is hopeless on a technical level otherwise why are we here discussing. The main point is whatever we discussed and pointed out, the same mistakes are applied repeatedly and fanboism does occur.

TOR is imperfect and so are many protocols. Even QC is not 100% foolproof or really unhackable until someone finds a way around it in the future.

We point out problems and point out methods to fix or remedy the situation but you should notice the type of tone and attitude we received.

I don’t think this is any good for us if we try to point out problems and there are some that do not appreciate but go about calling us Govt snitches whenever we try to point out the problems (i.e. calling me, @Clive Robinson, ab praeceptis et. al. snitches for pointing out on problems with TOR).

In fact, I did work for the local Govt’s Def-Sci sector and more specifically the local COMSEC dept which is how I got into more serious ITSec (i.e. encryption) in the first place but knowing the environment as it is, I refused the offer to lengthen my stay (which is pretty rare that the employer will offer) and left for other jobs.

Anyway, I don’t think much is appreciated and our advises goes to waste and get called out as Govt snitches.

I have also decided to remove some of my open source repositories since it’s not useful anyway.

Now that China and Russia have mandated that VPN and such surveillance circumvention tools (including TOR) as illegal, this will spread even further and the whole World would be affected which would include the once open and libre European countries and US which would likely follow suite.

Good luck with trying to setup usable and somewhat reasonable assurance security with shaky foundations and anti-privacy laws closing in.

There is nothing much to be said anymore.

ab praeceptis July 31, 2017 11:59 AM


There are some problems with your approach. A major one is “consumers don’t care a fly sh*t”.

Just look at consumer mainboards (a relatively techie component). I mean it; look at them. Design – that’s what you’ll find as major differentiator. “high-tech” and/or “futuristic” design of mainboard cooling elements, controllable light colour of the LEDs everywhere.

Or look at smartphones and tablets. Design again. Plus “ease of use”.

Security? Sure. If you have a nice logo and lots of marketing they’ll by second hand cat poop in cans with “security!” printed on them.

Or look at the OS side. The vast majority runs windows – for no particular reason; it just happens to come along with the hardware (which Jane and Jane translate as “it’s free!”).
The second large group (of desktop or table users) has apple. Two major arguments: (surprise!) Design and “coolness”.

Which leaves us with some 3% to 5% of the market besides windows and apple. With those the pattern repeats. Some 95% or so run linux, of which again “ease of use” is ruling (e.g. ubuntu, mint).
Another, quite small, group is the BSDs of which OpenBSD is but a small fraction.

As sales figures of snakeoil vendors (like anti-virus) amply demonstrate, the logic of about 95% of consumers hardly even contains the item “security”, and if it does they usually mean something that a) can be click click installed and b) is socially established, either by peer group or by printed toilet paper (95% of IT magazines).

That’s one (and a very unimportant one btw) reason why I address professionals, in particular developers. They at least vaguely understand the field and, more importantly, they are the ones who can make the difference and enhance RSS in a major way.

Btw: You agree or not to my point d) above. It’s a fact, however; maybe a very unpleasant one but a fact. (What makes you believe that e.g. linux somehow magically becomes secure just because it’s in a 50.000$ device in a rack and with a brand label on the box?

Who? July 31, 2017 12:13 PM

@ Thoth,

Anyway, I don’t think much is appreciated and our advises goes to waste and get called out as Govt snitches.

No! The advice given in this forum is excellent and —I am sure— lots of readers appreciate it. I am one of these readers that really appreciate each good tip given here, even if it shows a problem with OpenBSD (the only operating system I use on my computers) or other supposedly secure tools. As an example, on the last year I only used smartcards to access my own infrastructure and will continue this way. Smartcards are just a small step in the right direction, but they are a highly welcomed technology.

Tor is a good and clever design, but it does have its own weaknesses and it is obviously being targeted by powerful adversaries that take advantage of these weak points (usually the relays). Is it a NSA-proof technology? Obviuosly not. But it may be a security layer for a journalist or someone that wants some privacy. I certainly would not trust on Tor if my life depends on being hidden, but it is the best lots of non-technical people can use to protect themselves.

Who? July 31, 2017 12:26 PM

@ ab praeceptis

Btw: You agree or not to my point d) above. It’s a fact, however; maybe a very unpleasant one but a fact. (What makes you believe that e.g. linux somehow magically becomes secure just because it’s in a 50.000$ device in a rack and with a brand label on the box?

What makes you believe that I think that linux on a $50.000 USD device is secure? I am a developer on an important security-related software project and understand technology better than a lot of people thinks. No, linux is not the right foundation for a secure communications and/or computing infrastructure.

Who? July 31, 2017 12:57 PM

The key here is understanding that technology is not perfect —in fact, it may had been compromised for years— but that trying to fix it is more productive that saying “all is lost.”

The leaks from the IC in the last years show that there is nothing revolutionary on it, they are people (like anyone on this forum) not magicians. There are known weaknesses, bugs and backdoors in software and we suspect there are ones in hardware too. Our best bet is working hard to fix them instead of shout out “it is a lost battle.”

My suggestions to lock vPro are not so bad. I think they deserve some merit and consideration. Of course there are risks, like the one of having some sort of antennae on our chipsets that allows WAN communications with, we say, cell sites. But I believe that if this technology exists and it is so widely deployed we should know about it right now. IC is not exactly good at keeping secrets. Recently a sort of NFC antenna has been found on the new Intel Core i9 processors, so there is people looking at it. I have confidence there is not that sort of communication channel on our devices, however the risk of an unknown and surprising widely deployed surveillance technologies exists, this is the reason our work should be a process that will never end.

Dirk Praet July 31, 2017 3:18 PM

@ ab praeceptis

So against whom shall Jane and Joe be protected? Against their neighbour? Against the village police officers?

What you are preaching is theoretical security for the 0.001% up against targeted attacks by nation state actors. What I am talking about is security and privacy mitigation for the rest of the world against everyone else: snooping friends and family members, your boss, script kiddies, cybercriminals, the local sheriff, corporate and state sponsored mass surveillance. Which either seem to be of no concern to you or should also be defended against with theoretical or self-developed HA solutions that would be massive overkill for their purpose.

Granted: we indeed need to move in the direction you’re advocating, but it’s not going to happen overnight and, meanwhile, we have a choice to either use imperfect tools we try our best to understand the weaknesses of, or do nothing at all.

I also find it quite telling that countries like China and Russia are trying to ban VPNs and Tor, which – unless this is all a massive psy-op – would seem to indicate that at least some authorities are struggling with them.

@ Thoth

i.e. calling me, @Clive Robinson, ab praeceptis et. al. snitches for pointing out on problems with TOR

I hope you’re not counting me among those who do. And unless I have missed something, I have never seen either you or @Clive being called a snitch or a government agent for either bashing or pointing out Tor defects.

Clive Robinson July 31, 2017 3:52 PM

@ Moderator,

Hmm sounds like a ‘fat finger’ problem at my end.

@ Figureitout,

I will put my “memory cap” on and see if I can recreate my comment a little later (it’s supper time in London currently).

ab praeceptis July 31, 2017 3:57 PM

Dirk Praet

What you are preaching is theoretical security for the 0.001% up against targeted attacks by nation state actors

Plain wrong. What I preach (if one wants to call it so) is to finally design and implement ALL halfway critical software properly. This includes bios, OS, drivers, important libraries, authentication tools for all users (e.g. password store), and more.

Moreover I personally do not care much about top-teams from the agencies of a few states being able or not to hack my system. In other words: No, the very top 0,001% of adversaries are not a significant concern of mine (i.a. because those adversaries would find other means to get what they want).

snooping friends and family members, your boss, script kiddies

In case you care somewhat about reality: Those adversaries do not succeed because, oh, we just used aes-128 and not aes-256, implemented in Ada. Nope, they succeed for two reasons: a) utterly poor opsec and b) utterly poor everything, starting with plastic boxen running linux over poor OSs to poorly created applications and connecting to poorly created servers.

You know what could change that? Properly designed and implemented software, which again would mean that it’s created using better languages and tools.

I also find it quite telling that countries like China and Russia are trying to ban VPNs and Tor

How snarky boring! What Russia prohibits is VPNs being used to go around blocks of illegal sites and to communicate secretely with terrorists etc. In other words:

They ban it if and when used to do illegal things.

Duh! Who would’ve thought that! Just like plenty of “western lighthouse democracies” do, too. And just like “A gun must not be used to do something illegal”. Or like “printers must not be used to create fake currency or drivers licences”. How astonishing!

But sure, “despotic “Russian dictator Putin found new way to terrorize [insert poor little victim]” always works …

ab praeceptis July 31, 2017 4:30 PM


I want to make a confession.

Some have wondered why I’m against foss (not really but it’s OK if you understand it that way), against linux, etc.

Let me explain:

I like OpenBSD (and btw. other BSDs, too). I also like quite many other foss projects. What I dispise and reject is gpl fanatism. But that’s also not the main point today. The main point is this:

Software is quite a bit more complex that pretty any other engineering field. I know, because that’s why I chose it some decades ago. And please, pretty please, note the word “ENGINEERING”.

Would you like to drive your car with your family in it over a bridge that was built by some clueless hobbyists? How about putting your family in an airplane designed and built by hobbyists and air control managed by some 14 year old weed smoking boys?

You don’t like that? Strange – because you seem to have no qualms with that model wrt. software.

And again: (properly) designing and building bridges or airplanes isn’t more complicated than designing and implementing software; if there is a difference, building software is even more complex and harder.

The situation we are in can be roughly described like this:

The vast majority of software was designed and built by more or less clueless hybbyists or by corp. slaves with a product manager befallen by featuritis breathing on their neck.

THAT is by far the single largest reason for the lousy situation we are in with all that insecure software.

NO, it’s not even the languages and tools. We did have most of the math needed 50 years ago. We did have excellent engineers and the know-how to build excellent tools. And we had the necessity to do so – but, granted, we hadn’t the insight yet, we were still too fascinated by all the things we could suddenly do. But there were warning voices, e.g. E. Dijkstra.

I personally and subjectively happen too think that linus torvalds is an extremely dangerous man because he opened the box of Pandora. He put the – then utterly unreflected and now known to be false – idea into the heads of millions that just about everybody can, together with a couple of pals, create an OS.

Now, before you say “but linux is an OS!”: yes, you are right – and not. It is insofar as it more or less does what an OS is supposed to do. And it is not because it doesn’t do those things in the way they should be done by an OS. Properly, well reflected, and well designed.

You see, if Paul (14) decides to create an app to manage some hobby of his, just like linus torvalds did for his diving hobby, I don’t care. If his app fails, so what? But if Paul and some pals mistakenly create an OS that some decades later happens to drive major infrastructure we have a problem. A serious one.

To be fair, there is another very major culprit, namely the mindless, insane, profit greed driven commercial software field (well, very major parts of it). But – and that’s an important but – that alone could be handled and taken care off. The “everybody can hack some cool software” virus, however, is by far more dangerous because it pulls the very basis of software engineering out. It creates a situation similar to “everybody with a knife can do surgery if he likes to”.

I of course know that this post is going to bring up many against me. And, please feel free to call me a damn a**hole or whatever cools you down. But if you have some, even just a minor, interest in a world where nsa, cia, and many other structures, and, to be fair, even your drunk neighbour can not hack and eavesdrop on you to their liking with you being at their mercy, you might want to think a moment before going against me.

Who? July 31, 2017 5:13 PM

@ ab praeceptis

I see your point. Perhaps the answer is not banning open source and/or free software but giving the teams that develop the highest quality open source and free software projects financial support so best developers can work full time on writing code. As I see it, OpenBSD is by far more secure than any Linux distribution. Linux itself is more secure than Windows, OS X, iOS, Cisco’s IOS and even Linux-based operating systems developed by corporations like Google. So there is something wrong on the development model followed by corporations.

What about the bugs found recently in AMT?

The real issue here is the huge amount of low quality projects that plague this world (most coming from the free software branch, sometimes more interested in public notoriety than on writing something really useful). It is a shame for a community whose major difference to corporations is that they donate their work to the world for free.

Projects like OpenBSD do not obey the market rule that says the paying customer (who usually have just the money, but a complete lack of knowledge about how writing correct software) decides the evolution of a software product. It is a project whose evolution is on the hand of knowledgeable developers. Can you imagine a corporation rejecting the “advice” of a customer that signed a multi-million contract with them?

On this blog we are talking about security. This concept does not match well with closed source, unauditable to all except governments, written by careless corporations that sometimes develop odd relations with governments (e.g. Apple, Google and Microsoft joining the PRISM program).

I think open source, and sometimes free software too, are the way to go on a world where trust is a key value. If you think open source is ok but customers never read and fix the code I invite you to read the OpenBSD forums. You will see a lot of careful reviews of code, patches and suggestions by really clever users.

ab praeceptis July 31, 2017 5:37 PM


Thoth, who has a well earned and deserved good reputation, made me think quite a bit.

No, I do not think that foss is the way to go. It must be differentiated; some (relatively few) projects are good and at least led by a professional. The vast majority, however, is crap; that’s OK for diving management and other unimportant hobby stuff but we must get Pandora back into the box, we must make it understood that an OS, a core library (e.g. ssl), etc. can not properly be done by hobbyists.

To be honest, I didn’t think a lot about making the world better; that’s just not how I tick. But it seems to me that we must establish certain, ideally de jure but at least de facto, standards to separate the wheat from the chaff. It seems to me that formal methods are a good way: engineers will at least understand their necessity (or even like it) while all the hobbyists will howl and fail to pass the barrier.

This might also be good for another reason: applied to the commercial world it will also separate the wheat from the chaff. In a next step one can make laws that demand that e.g. accounting or banking software must be properly specified, modelled, and verified or else …

No matter what and how, we just must stop the bleeding created by the opened Pandora box (and the mindless, merciless greed of many companies).

Bob Dylan's Forked Tounge July 31, 2017 6:34 PM

“tor? (Presumably) good intentions – and people trusting it in jail or at least in serious trouble.”

“I certainly would not trust on Tor if my life depends on being hidden, but it is the best lots of non-technical people can use to protect themselves.”

(incoming rant)

What all of this discussion overlooks is that for a small subset of people it really is Tor or nothing. We keep bashing those who use Tor for bad reasons but they are the vanguard. If the pedo or the drug dealer isn’t safe then none of us are safe because our privacy depends only on the goodwill of the Russian spook or the FBI lawman and I don’t know about you but I don’t trust their goodwill at all.

I keep hearing a line of argument that goes, “we shouldn’t care about the tiny minority of bad people who use Tor because Tor is really great for the ordinary person who is trying to hide his PII.” That is a divide and conquer bullshit argument. It is based on the false premise that the only thing that state actors care about is catching the crook or the terrorist and if we just let the authorities have the bad guys they will leave the rest of us alone in peace. Total bullshit. The mass collection of metadata, the use of that meta data for propaganda purposes, the secret courts all are evidence of a different outlook: any excuse will serve a tyrant. The terrorist and the drug dealer is just the most recent excuse. Throw them under the bus and the next thing you know if will be your turn to be thrown under the bus. Russia isn’t banning Tor and VPNs for just the “bad guys”, it is doing it for everyone.

If one cares about online privacy then you are sleeping in the same bed as the pedo, the drug dealer, and money launderer, and the terrorist. Privacy doesn’t know any morality. Encryption protects the good, the bad, and the ambiguous with equal aplomb.

So I don’t want hear these arguments that go “Tor is weak and well, shrug, it’s not really my problem it is a problem for somebody else.” Tor’s problems are everyone’s problems. There is either a culture of security or there isn’t. There are either effective tools that protect data at rest, in transit, and at the end points or there are not. Compromise on these issues is an admission of defeat because the math itself is uncompromising. Compromise on these issues is an admission of defeat because the other side has no interest in compromise–the laws of math are to be suspended in Australia or else! Compromise on these issues is an admission of defeat because it says that even though we might be right as a matter of fact we don’t really have the will to win.

So shut up about Tor being broken and if you have the skills go help Roger fix it. Shut up about how the USA is trashing privacy with their vulnerability hoarding and if you have the skills go help fix them. Shut up about how the legal systems of the US and UK is making mincemeat about people’s rights and if you have the skills go to court and fight them. Stop kvetching and get to work.

(end rant)

Dirk Praet July 31, 2017 6:51 PM

@ ab praeceptis

In other words: No, the very top 0,001% of adversaries are not a significant concern of mine

Either you did not understand what I wrote or you are spinning my words. I was not talking about the 0.001% of adversaries, but of targeted victims (by resourceful state actors). And you seemingly not being concerned by the mitigation of security and privacy of the 99.999% others, most of which DO in fact benefit from correctly using where appropriate all the utterly useless systems and software you so loathe.

The approach to software development you are advocating – however well-meant – in practice would lead to a corporate controlled monopoly, the scarcely available licensed developers being folks with expensive university degrees that can be afforded by big companies only. It would kill FOSS, stifle innovation and creativity, make prices sky-rocket and be the wet dream of both corporate snoopers and authoritarian regimes that would be the only parties able to review or audit actual source code.

Whilst I agree that we are in a huge security mess today and for the exact reasons you are describing, your solution would perhaps improve security, but create an even worse situation from a surveillance and control vantage. Security is a means to an end, not an end in itself. However right you may be about the technical aspect, you’re totally ignoring the macro-economic, political and societal aspects of your approach. And which is a typical engineer thing.

They ban it if and when used to do illegal things.

They ban it because it can do illegal things, i.e. prevent or make more difficult nation state (mass) surveillance. Which is the exact thing you are denying.

George Ellard July 31, 2017 7:06 PM

Yeah, standardize it, that’s the ticket! Good ol’ standard potatoes were great for like 250 years till they got a bug and all the Irishmen starved! Microsoft can’t even impose 90% uniformity. Let’s go for 100! We’re tired of adapting our devastating sabotage malware to lots of different operating systems. Let’s make them uniform by law!

Ratio July 31, 2017 7:21 PM

When all you’ve got is authoritarianism, the solution to every problem includes a healthy dose of goose-stepping.

And when you’re an aspiring authoritarian, you can’t help but muse out loud about the patterns you’ll decree.

ab praeceptis July 31, 2017 7:29 PM

@Bob Dylan’s Forked Tounge (yet another nick …)

Cute “engaged” bla bla.

We keep bashing those who use Tor for bad reasons


I don’t know anyone around here who bashes tor users.

So shut up about Tor being broken and if you have the skills go help Roger fix it. Shut up about how the USA is trashing privacy with their vulnerability hoarding and if you have the skills go help fix them. Shut up about how the legal systems of the US and UK is making mincemeat about people’s rights and if you have the skills go to court and fight them. Stop kvetching and get to work.

I’m touched. How cute.
Just btw: Who are you to tell us what to do and what are the rules? GFY.

@Dirk Praet

Sorry but I don’t see much more than rather arbitrary assertions, some of which are even provable false.

I’ll pick out an important one: lead to a corporate controlled monopoly, the scarcely available licensed developers being folks with expensive university degrees that can be afforded by big companies only. It would kill FOSS, stifle innovation and creativity, make prices sky-rocket and be the wet dream of both corporate snoopers and authoritarian regimes that would be the only parties able to review or audit actual source code.

What a weird conglomerate of BS!

Not only could one also make a law demanding that all work done paid by tax money in research and state agencies must be oss available … but also: what, please, would keep those, oh so unaffordable developers away from doing what they do now, too, namely to write oss?

It’s quite simple: All I suggest is that certain sensitive stuff must be done in a demonstrably proper way. The 95% unimportant stuff can be done by hobbyists like now. And btw, they would profit, too, from my system because they’d have reliable good quality libraries available.

You (those who think like you) have had plenty chances and room. We can see – and suffer from – the utterly poor results, including btw. rather grave social damage; or how would you describe it when pretty everyones privacy and communications is, or can at will be made, transparent?

It’s time to step aside, social warriors, and to let engineers work be done by engineers. And it’s time also to create responsibility and to hold the greedy corps accountable at least in some areas where it really counts.

Thoth July 31, 2017 7:29 PM

@Dirk Praet, ab praeceptis

It’s not about you. You can scroll all the way up the top of the page and you will see them by certain people. A search might reveal more on other forum post.

I sometimes wonder why I made the choice to give up good pay and job stability in the Govt Def-Sci area when they nicely offered me the job and I simply refuse this rare ooportunity and prefer to research, discuss and implememt higher assurance stuff in the open knowing that it will not create much returns instead of being bounded by Govt contracts by working for them and creating designs that will never see the light of day but as an exchange for a very comfortable and stable life.

Thoth July 31, 2017 7:35 PM

@Nick P

You previoisly mentioned about the Enigma Bridge project and they have a topic on Unchaining the JavaCard platform by implementing crypto not supported on COTS JC systems and API. I was surprised that one of the presenters actually knew of my traditional Diffie-Hellman KEX implementation for JC 🙂 .

ab praeceptis July 31, 2017 7:40 PM


Welcome. But if you want a discussion you will have to have arguments.

Example: Currently we can not hold companies responsible. We have to ruler along which to measure.

I suggest a ruler, namely, a formal approach. How to break that down into some levels and whom and what to keep to what level can be discussed. One might, for example, demand that software in certain fields/of certain kind must meet this or that level.

A lower level might, for example, be that the whole software must be statically typed and must compile without error. That shouldn’t even be expensive or burdensome; that can easily be met.
A high level might be that the full software must be, or consist of subelements meeting that spec, fully formally spec’d and that both, spec and implementation must be provably correct. That would be much harder, yes, but it would handsomely pay of and moreover we would quite probably have more smaller companies specializing in some libraries in some field rather than the corp. behemoths we have today.

Finally: What else could be a better ruler for measuring? Formal methods are objective and fair … and we have lots of good experience with similar models in bridge building, railways, aircraft, etc.

Figureitout July 31, 2017 11:15 PM

Dirk Praet
It is just one of many (free) tools that allows you to surf the web in a somewhat more anonymous way than standard browsers do.
–Yep, and there’s basically no other free tool that comes close; so it gets the brunt of all kinds of attacks. Any security project here comes under that scrutiny and attack would fold eventually I bet. It’s dirty fighting, where they don’t get legally punished for otherwise committing crimes like B&E, stalking, intimidation, etc.

I just can’t fathom keep flogging the dead horse.
–Ranting, they want to rant.

As long as you take that absolutist view, then everything is futile
–Yep, it’s the same people (mostly person here) that’ll be ranting 10-20 years from now the same things, little to no progress, they were too busy ranting or b/c they simply can’t do the work they’re trying to describe. Oh they also have infinite resources and no time-crunch to remain financially viable. Also formal models that ignore hardware or other environmental factors are a joke imo…carefully constructed testing is more valuable then.

–Lots of the criticism is non-technical and very general, that’s the problem (what specific vulnerabilities). Proposals for altogether different designs to mitigate traffic analysis are also very unclear and can’t be evaluated at all.

Maybe you shouldn’t have quit that job, and put any money or knowledge from it into open source projects. Market needs to exist first for me to take a risk like you did doing your own business etc.

Our best bet is working hard to fix them instead of shout out “it is a lost battle.”
–Unfortunately there has to be a market for it too in this world, so unfortunately I think things need to get much much worse before a need for some of the security ideas we discuss here get considered by bigger vendors that can actually implement these ideas on bigger scales.

Bob Dylan’s Forked Tounge
Stop kvetching and get to work.
–Can only speak for myself. If I get some nice legal tender I’d either use it for my own research or fund security projects. I put skills I learn academically and on job back into open source projects. I just don’t have time for it usually, or am too tired after working. Need more paid work for real headway to be made.

Clive Robinson
–Ok, hope you find your cap. 😉

tyr July 31, 2017 11:23 PM

@Clive, Figureitout

I assumed that GPS would only be a useful
shutoff switch for an automobile cellphone
defeat. It can’t be that hard to detect
motion enough to shut off the mike input
and turn it back on when you’re stopped.
That way your phone teaches you correct
behavior patterns.

This is called operant conditioning in the
trade and it works. The cries of outrage
about it have never managed to back up
their ideas with any experimental proof.

Most of the objections are based on flawed
models of what a human really is. That’s
why so many ideologies and cultures fail
to improve conditions that all agree are
bad ideas with horrible effects.

JG4 July 31, 2017 11:35 PM

a couple of gems from today. one of them is spot on the discussion of robust software engineering. I thought that the Great Frost of 1740 killed a significantly larger portion of the population than the Potato Genocide of the mid-1800’s.

Our Famously Free Press

“Is The New York Times vs. The Washington Post vs. Trump the Last Great Newspaper War?” [Vanity Fair]. Betteridge’s Law applies. The deck: “Breaking story after story, two great American newspapers, The New York Times and The Washington Post, are resurgent, with record readerships.” No. Russia War Fever and Putin Derangement Syndrome are source driven; in other words, we’re looking at a particularly debased form of access journalism. Very little “reporting” is going on at all. That said, you can see the economic benefit a well-placed source, or a cabal of sources, can convey. Ka-ching. This sounds like James Risen’s beat. Maybe he can write a tell-all, now that the Times management has defenestated him.

News of the Wired

“A Look into NASA’s Coding Philosophy” [Student Voices]. Very interesting, and sheds a whole new light on “government work.” Suffice to say that “fail fast” isn’t an appropriate management or programming philosophy for, say, launch control system software….

Dirk Praet August 1, 2017 5:53 AM

@ ab praeceptis

but also: what, please, would keep those, oh so unaffordable developers away from doing what they do now, too, namely to write oss?

We actually have a fine example of my assertion right here under our very noses: @Thoth, a highly skilled engineer putting massive amounts of time, effort, knowledge and expertise into developing innovative HA-solutions and struggling to make ends meet after having abandoned his well-paid Govt Def-Sci job. To the point that he is retiring some of his OSS stuff and asking himself if he made the right choice.

The point being that developing non-commercial security-centric HA solutions for the 0,01% is economically unviable. And even a commercial start-up is unlikely to survive without venture capital or selling itself off to some existing big player.

I double-dare you: give up your well-paid job as a contractor or payroll employee for whomever you’re working now and like @Thoth start working on products of your own and developed according to your own standards. You will find it less than rewarding, both financially and in terms of job satisfaction since no one is interested anyway. It will be just a matter of time before you take up well-paid side gigs assisting some well-funded hipster start-up working on yet another useless social media app that doesn’t have security but data collection built in by default.

The only way around this is by imposing very strict legislative and regulatory requirements that inevitably will turn software development into a corporate and government controlled monopoly answerable to none. Stuff like Tor will cease to exist, and the only people with even the lowest levels of digital privacy and anonymity will be those able to fork out mucho dinero for it.

Again: from a strictly technical point of view, you are absolutely right. But you don’t seem to get the real-life implications of what you are proposing.

@ Thoth

How far can the rot in the Linux Community and the extent it’s anti-dev/contributor aura extends.

Linus – like certain others – believes that one way or another calling someone else’s opinion BS validates his own. In general, it doesn’t contribute to a productive discussion and essentially just alienates people from you.

Who? August 1, 2017 6:32 AM

@ ab praeceptis

I do not know why you dislike so much foss projects; perhaps you had bad experiences with low-quality “free software” in the past. Choosing wisely what open source (and free software) projects use is a challenging a long way. There are too many “free software talibans” that will just try to impose their products, even if they know the software they support do not work. There are a lot of free software (and open source projects too) that are just a joke. Let us say, for example, the systemd that is plaguing a lot of Linux distributions.

I certainly fail to understand WHY software written by corporations is better than software written by people who love what they do and, sometimes, do it nicely. Is it because commercial software is written by paid programmers? I do not get it.

What I really know for sure is that choosing closed source software to fill the gap created by the Pandora box opening is not the answer. If you choose wisely there are much more secure open source projects. You should obviously look outside of mainstream. Linux is the cool choice these days, but it is the choice of people that do not care at all about security. Even Linus Torvalds despises security, and do it publicly. Linux is the new Microsoft, they try to own the world with good looking, low quality software.

If you think closed [commercial] software is the answer then I am ok with it, but I certainly will never trust on software that cannot be audited by the users and that is in the hands of corporations that establish nasty links to the intelligence community for money, government protection or misinterpreted patriotism.

ab praeceptis August 1, 2017 7:02 AM


Oh well, linus, linux, and the funny bazar … I can understand him ranting sometimes, btw.; how he does, however, is inconsistent and unnecessarily rude. Whatever, it’s his kindergarden and it’s their thing to deal with.

@Dirk Praet

I doubt that Thoth is an example demonstrating your point. But that’s outside of this discussion, so I’ll leave it at that. Btw. his decision was mae in the current state of affairs, not in the one I suggest.

And, NO, the oss world would not come to a stand still. Simple reason: All the reasons and motications of oss developers would stay the same. Make the world better, just wanna share some work I did, etc. all that wouldn’t change. The only major thing that would change is that incompetent hackers (as opposed to professional engineers) couldn’t touch sensitive stuff anymore because it’s a part of my model to finally introduce responsibility for what one releases (in certain sensitive areas).

It seems to me that our discussion suffers somewhat from a misunderstanding in that you seem to take anything that calls itself security as such while I don’t. Example: you seem to see tor as something providing security – I do not; in my minds eye tor is just crap, and actually worse, crap that pretends to offer security.
So, you are right insofar as e.g. the tor people would bleed heavily in my model unless they dropped their (not at all) funny hobby experiment.

Looking closer, however, one will find that a very considerable part of security relevant work is oss.
In fact, in my model we would have even more oss because universities and other tax sponsored institutions would be forced to make almost all of their work oss.

Short, except for those cases where hobbyists create havoc by incompetently fumbling in areas they’d better keep off, pretty much nothing would change.

Funnily you repeatedly ignore the festering abscess I mention, namely: Hell, look around at what a nightmare your model has brought us into!

I double-dare you: give up your well-paid job as a contractor or payroll employee for whomever you’re working now and like @Thoth start working on products of your own and developed according to your own standards. You will find it less than rewarding, both financially and in terms of job satisfaction since no one is interested anyway.

I fully quoted that because I find it so funny. Obviously you can’t even imagine how wrong you are. I did exactly that and never regretted it. I’m fine, thank you, and yes, there are enough people and companies who happily pay for professionally solved problems. One part of my income, btw. has come from revamping and professionalizing dev. teams.

That’s the problem with ideology driven people like you: they increasingly fail to recognize reality and are limited to what – and how – their view permits them to see.
To make things even funnier: I also occasionally do oss, haha.

As for “imposing very strict legislative and regulatory requirements” – Yes! Hurray, YES!

You know, I strongly dislike the fact that medical equipment upon which my, may families or your life may depend, might be hacked and is of doubtful code quality. Moreover exactly that is one of the main tasks of a state – to regulate. It’s due to that that you can fly halfway safely.

And now, after lots of addressing diverse whims and speculations you brought up, let’s cut it down and put it straight:

We have the math, we have the know how, and we have the tools to do much better. Would you kindly explain why you insist on keeping the abscess happily growing? Would you explain why we should continue to have hospitals with lousy quality hackable machines, why we should continue to have major infrastructure incl. even reactors that is easily hackable?

If I’m to choose between a reasonably safe world and the arrogated “freedom” claim of some hobbyists to play with the world then I’ll take the reasonably safe world every day and twice on sundays.
I want people like Thoth to do software for our infrastructure and other very sensitive fields. The linux and other hobbyists could and should produce funny computer games, diving hobby software or the like.

ab praeceptis August 1, 2017 7:14 AM


“I do not know why you dislike so much foss projects”

That one is easy to resolve: I do not dislike foss projects generally and principally.

I dislike ideological fanatics (e.g. gpl) and I dislike hobbyists playing, fumbling, and stuttering in areas that are way above their capabilities and important for society.

I do like a lot well conceived and well done oss. In fact, I would want to force the governments to give us much more oss. We pay for the universities and research and we should have the fruits growing on those trees.

And I like the fact that oss inherently allows one to see the source code (although more often than not it makes one puke).

OpenBSD is a good example. Although they can’t possibly create a secure OS (due to posix, the C code base, and other factors) they are a good example. They are knowledgeable, competent, and driven by a good motivation, and they created something useful and reasonably trustworthy.

JG4 August 1, 2017 7:46 AM

The Deep State, like most other institutions, has been corrupted. The unaccountable and delegated power has been redeployed for private profit, in place of the stated (and legitimate) purposes for which the consent to delegate was obtained. The legitimate purpose of The Deep State is national defense, but imperial genocide should not be confused with defense. A key part of the redeployment strategy has been a series of long, coordinated and highly effective disinformation campaigns, including false flag events, assassinations and countless other crimes.
…[just for the record, Google is “The Deep State”]

Google’s chief search engineer legitimizes new censorship algorithm WSWS. Over the transom via email, we get this handy chart of the sites censored by Google:

Remember “Don’t be evil”? Good times…

Imperial Collapse Watch

America Needs a New ‘Dreadnought Strategy’ Foreign Policy. Not an encouraging headline; the UK initiated its dreadnought program on the imperial downslope.

Jury to decide fate of CIA torture psychologists Al Jazeera. As usual, the little guys get the chop. Bad as I believe Mitchell and Jessen to be.

with friends like these, who needs enemies? slightly off-topic, but it provides a threat model justifying something like TOR.

Earlier this year, President Donald Trump was shown a disturbing video of Syrian rebels beheading a child near the city of Aleppo. It had caused a minor stir in the press as the fighters belonged to the Nour al-Din al-Zenki Movement, a group that had been supported by the CIA as part of its rebel aid program.

Trump pressed his most senior intelligence advisers, asking the basic question of how the CIA could have a relationship with a group that beheads a child and then uploads the video to the internet. He wasn’t satisfied with any of the responses…

JG4 again:

ironic that Hillary CLinton a) wrote “It Takes a Village,” b) said, “do it for the children,” then c) in her role as secretary of state, distributed weapons that led directly to the deaths of hundreds of thousands of children. not so different from Madelaine Albright’s genocide against children.

it would be helpful if the TOR replacement/alternatives could actually provide anonymity, defeat traffic analysis, stop content collection, not leak location information, and provide various other figures of merit. protecting content is not a trivial problem, because it requires secure endpoints.

there are multiple tradespaces defining and surrounding the problem of secure communications. a related tradespace is given as concurrency, availability and integrity – pick any two. did I mention visiting the Harvard Center is 2015? Bruce had an open-hardware seminar that compared Arduino to a popular open-source cellphone platform that sells for $12 in China. control of the SDR is a given, and it could be forced to only communicate with one tower. further, the latency of the responses to the tower could be offset with a slowly varying constant (or random value) to dilute the position information from meters to kilometres. to place a call, rather than using the cell company’s switching gear to connect to the recipient, the call would be placed to a secure server which then calls the recipient. I mentioned before that a sufficiently large user base is required to dilute the traffic. if secure audio endpoints are provided by enclosing the cell phones in a sort of prison that sees only a white noise audio carrier in both directions, then two of three objectives can be fully met, with significant progress on the third. the location information security can be defeated by an adversary who places multiple observing receivers in the cell tower footprint. secure audio with defeat of traffic analysis (the channels all can be open all the time with white noise carrier in transit) and significant defeat of leaking location information.

I worked out another piece of the first-principles puzzle in the past few days. the problem on the blue marble, generally speaking, is unaccountable power. that’s what makes the non-scalability of trust so dangerous. combine that with the pyramid-climbing abilities of the sociopaths and psychopaths and you’ve got a real problem. or millions of real problems. this can be tied back to entropy maximization and generally indicates that the first point of consideration should be conflicts of interest. I would have guessed that an outsider politician could make a lot of headway with the voters by describing the entire quagmire in terms of conflict of interest. it has not escaped my keen notice that open-sourcing the technology that I describe here would empower criminals on both sides of the law. we seem to have seen that sort of empowerment with the purportedly dark web, and various Silk Road-type emporia. I suspect that the best case scenario on your planet is a profoundly dynamic balance of terror.

there is a lot more to say on many topics, but not as much time as there used to be

Clive Robinson August 1, 2017 8:24 AM

@ ab praeceptis,

I mentioned Amdahls law because, while originally looking at performance, it’s quite simple and can make statements about security as well.

It can but it’s inwards focused not out wards focussed which is why you have to be mindful of an idea from a century befor by the English economist William Stanley Jevons.

A century and a half ago he observed that technological improvements that increased the efficiency of fuel usage gave rise to not just an increase of fuel consumption –not drop– but a significantly increased consumption.

His argument was that rather than the simplistic view that energy consumption would remain static thus fuel demand would drop, the opposit would happen. That is as efficiency increased the cost would drop and thus demand would increase. But further the economy would grow because of that increased use thus increasing further demand and consequent fuel use. This became known as Jevon’s Paradox and it has a nasty sting in it’s tail, in that if the economy slows the cost of fuel will increase disproportionately, which makes it harder to get the economy going again.

This outward looking view is infact what drives the Personal computer industry. You can see the sting in the tail with the cost of business desktop machines, as consumption moved over to laptops, and likewise for consumer use with the move from mini-towers running windows to pads and tablets running Android. Thus the hardware becomes considerably more complex and manufactured at a faster rate. This intern adds significantly to the requirements for not just the OS, but the Drivers as well. Which as we know has a considerable negative impact on security.

Further when Amdahls law “came of age” a paper was published in 1988 by John Gustafson and his colleague Edwin Barsis that made another point which we all have seen, but most of us call it “software bloat” not Gustafson’s Law.

Basically they argued much as Einstein had that it was time that should be the fundemental way of looking at things. That is computer users quickly get used to a certain time delay, and actually do not want a to rapid response as at a user level this can make them feel preasured. Thus any increase in effiency in turn increasing system performance and thus reducing cost encorages programers to use it to do more with it. Thus you get better graphics, sound etc but things still take about the same time. Which means not just a vastly increased code surface but also much greater complexity thus a double hit on security.

Worse though is the fact that the Computer industry has got it’s self into a tail spin. In order to survive and keep “retail price points” the same –even though they devalue due to inflation– they need to increase not just, “exponentialy increasing computing power”, but also “exponential increasing code functionality”. The problem is the easy wins are long gone hardware is hitting the buffers and thus the drive for more code with not just bells and whistles but dancing badgers behined the row of dancing hamsters.

But it’s not just the hardware running out of steam as Gordon Moore’s law reaches the hard reality of the laws of physics even software is hitting the buffers.

Code is now made by cut-n-past from examples found on the Internet, squiged into code libraries, that have increasingly complex thus less understandable API’s thus encoraging further cut-n-paste. Unfortunatly for general security such examples are written to clearly demonstrate a single point and are not cluttered with the likes of handling return values or out of range inputs. Security is not even a consideration in such examples, thus the quality of code in applications is tanking as we see in IoT.

Worse code reviews etc take time and experienced personnel, so they have gone to at best administrative check boxes as the experienced personnel are required to churn out more code. Likewise testing takes time so the tests get less in depth and often drop back to just checking that previous bugs are still fixed.

We used to get code patches, but Mobile Phones show us the reality if it happens it’s only whilst the product is for sale which is about a year. So landfill is the destination of a smart phone within a couple of years. Likewise pads, where they appear to have replaced socks on the Xmas prezzi list…

But there is yet another hidden sting in the tail, manufacturers have realised they are about to hit the buffers on not just hardware but software as well. So they have resourted to the old “tie them in” trick of a “Walled Garden” but more recently turning customers into product by what is politly called “Instrumentation”.

The problem with a walled garden is you need product and a lot of it. But some of the lucrative nature of “tied in” has gone, thus there is competition on price. Which means the owner of the walled garden is not the one making the goods in “the company store”. Which in turn makes a lie of the “increased security” FUD walled garden marketing droids spout. The simple fact is the owner of the walled garden does not have the resources to test each application package for security, even by functional testing. Which is why we have seen malware get into the walled gardens by the bucket full.

The reason the users don’t see the malware is that it’s nolonger “ego driven” like graffiti, it’s all about stealing user data to make money.

There is a false assumption that every company can live on the internet by stealing data and repackaging it and selling it. It’s not true, the market for such data is finite, thus subject to the notion of supply and demand. Which means that the price will drop at any given level of data as more entrants enter the market. So there are two solutions, firstly get out of the market ahead of the game, the second is to add value to the data. The likes of Google have been doing both for quite some time.

However new market entrants are just trying for more invasive data theft. To do this they have to change the market some how. Cloud storage is a good way to get peoples data, and although it was not originally intended for that in effect that is what it has become. This became possible because of Jevons Paradox applying to communications, there is in effect no profit on carrying data –though mobile phone companies are still trying–, thus the subscription or one time cost model applies[1] much like it does with an “all you can eat” buffet.

The result of this has been the return of the Thin Client Notion. You design a product to be a “head end” device like an old style terminal with all the data processing and storage being done somewhere else. It has advantages in that the head end is cheaper to manufacture, and maintainence advantages in that the software the user is interested in runs on a machine at the company that makes it so patching etc is done silently. But the downside is your data is beyond your control for ever. A point Google found out the hard way when the NSA tapped their inter data center communications.

Thus those who want to profit off of people as product are embracing the “thin client model” or the “colabarative model” that puts the desired data on their servers. Which has a downside as we have seen. It’s not just Google there was CarrierIQ before them that the NSA profited by, but more recently we have seen Microsoft force as hard as it can users into a locked in cycle with increasing spying and forced cloud usage. But we have also seen IoT spying with IP video cameras, with microphones built in continuously gathering data also Orwellian Televisions that watch and listen to you, toys that do the same to your children and now your luxury high end semi-autonomous vacuum cleaner.

The problem is it’s not just low level electronics and software security that john and jane have to worry about, literally every new product is now turning into a spy. To force this product designers are turning products into “thin clients” that only do what you want if they are connected to the internet. Because they have realised there is no profit in manufacturing any longer, it’s all in “Rent Seeking” subscription models. You used to get your land and be left alone to build a home etc. Then various rent seekers came along with “protection rackets” and we ended up with them as our kings, barrons and lords of the manner. Meer vassals that were then told that they were the lords vassals or surfs. Worse than being a slave you just had to be taxed how you lived and died was not a cost for the lord which a slave owner had to bear. Likewise a slave owner had to confine their slaves, not so with surfs society was their containment. It is this state of affairs we are regressing into via the electronics we buy but only get to use buy somebody elses whim…

Thus whilst I take an interest in security and the bottom end of the computing stack with the electronics and software, it is not down here that john and jane are having their real problems with security. That lies above the eighth layer with managment through legislation, the politicians that make the legislation and the 1% of the 1% who pay the politicians one way or another to do their bidding.
Which is to turn society backwards five hundred years where individuals own nothing, are not alowed to own anything and must pay relentlessly untill death the very few. That much vanted “trickle down” effect will be there but through the guard labour who’s sole purpose is to weed out those who do not willingly don the invisable chains of the Emperor to furnish him with fine cloths, so fine meer surfs may not be alowed to look upon them.

So my viewpoint has changed over time, we need sociological security more urgently than we need technical security. People are slow to adopt new ways of thinking and need to understand that they need to adopt secure behaviours and maintain them much as most now acknowledge they should look after their health. People have to learn security is a personal responsability something they have to work at to build up strength.

Don’t get me wrong I’m not turning my back on technical security measures they are the foundations we have to have that can not be undermined but they are but the building bricks. People in general do not see or even want to see bricks, they want to see buildings in which they can live and work safely and securely. They don’t want to learn to be builders, nor do they want to be without buildings living what they see as a more primative existance. That is they have a comfort zone and for the majority that is where we need them to apply security to their lives. From there as they gain security strength they can expand outwards and widen their comfort zone. Some will take an intetest in technical security, most however will in one way or another take interest in social security ensuring that politicians work for who vote for them, not the fractional few who buy the politicos in one way or another.

Whilst this blog did start as a very technical blog and still covers it, our host has moved onwards to the social and economic side of security, thus the subjects covered has broadened out.

But whilt the social side is important we must realise that it is the economics of production that makes it possible.

Which brings us around to the question of the production of software and hardware. I’ve long argued that whilst hardware is engineered, software is at best crafted. History shows us that infact all things man maked are first created in the mind, then crafted into a tangible form which is then tested to the point where they need to be engineered via the principles of science. We test via tools, which are also made by tools, which at a fundemental level are designed from the bedrock of intangible logic up through mathmatics and meet the tangible world at measurands which get derived from fundemental physical properties.

The purpose of economics is actually efficiency, and to build the mathmatical models to be able to get there. In the process it does not address much that makes society society and does not cover much that is social and thus important to society.

The art of software is in many respects a social process, one aspect of which is how to do things not just effectively but efficiently. Thus it is subject to economic processes.

You and I broadly agree on “the C question” I put it as stradling the gap between assembler and high level languages, you see it as a meta-assembler. In essence the difference is where we see the low water mark for high level languages. I see it at partial almost minimal abstraction, you see it with a greater level of abstraction but importantly you see safety as being essential to the required level of abstraction whilst I do not to the same extent. You could say I regard the tool by what it does, not how it does it outside of that function. Thus I do not consider at that level the aditional functionality that protects the operator from the tool or how the tool protects the workpiece from the operator. Thus I regard guards and stops as being something added to a table saw functionality whilst you see them as integeral to the table saw operation. It is actually a difference in view point in the economics of production.

That’s not to say I do not consider it important it’s just where I draw a functional line. The reason for this is the direction I am coming from which is bottom up not top down. I see the function of the tool as a specific design, likewise I see the guard as a specific but seperate design likewise the limits etc. That is I take a tool makers view not an operator view. However the economic view although present in the tool design is also above the operator level at the process and managment levels.

The aim of a process is to take raw materials and add value to them to increase their utilitarian value. Implicit in that is that the proces cost be minimised to ensure that it remains viable at some level. This means making the process efficient which is where the aims of economics impinge.

A table saw that has no guards or stops used by a skilled operator will do the entire range of things possible. But the reality is it is rarely used out of a small subset. So whilst the cost of the tool is a lot less the cost of a skilled operator is much more than a semiskilled operator. However a semiskilled operator has a higher probability of getting injured. So ecanomicaly the managment choice is to buy a more expensive table saw and gain that back by using lower paid less skilled labour.

In essence your argument for type safety etc whilst totaly valid and sustainable from a security aspect, also has a valid economic argument, in that enables the use of less skilled workers to produce the same level of “piece work”. It also has other arguments as well in that it lightens both the cognative and progrming load on the programmer. That is they do not need to think about or write program logic to check for range conditions etc. As long as they do so for return values caused by exceptions.

Where it goes wrong is two fold, firstly way to many programers do not adiquatly deal with return values and the prefered way of dealing with exceptions is to just abort, which is actually the worst thing to do in a system view. Secondly because of the “hand holding” they are not used to dealing with errors and their diagnosis, thus they only reach a certain skill level above which their limitations and failings return. The latter issue becomes a major issue in that what might be a minor issue for a skilled programmer becomes a major if not insurmountable problem to the lower skilled programer. As these problems can be viewed as either edge or corner cases thay will often not get resolved and simply become known faults in the code that gets pushed out to the public and await a maintenance relese. It is these faults that become the prime vulnerabilities for skilled attackers.

It then becomes a probability question as to if a maintenance release fixes the vulnerability before it is found and exploited. The view used to be that even if a vulnerability was found it would quickly become public thus fixed. We are now finding out that this is far from true. Vulnerabilities are found and it depends on the mentality of the finder or their employer if it becomes public or not. In essence vulnerabilities are either outed for personal reasons or they remain hidden and exploited covertly often for long after the product they are for is nolonger supported.

Thus we have a “growing pains” problem. Increasingly high level languages will alow most programmers to be much more productive. But such languages are known to be insufficient, thus further more formal methods are needed and this means that much more resources are used in production which is not desirable in a competitive environment. Which is what happened with Victorian boiler makers. The result is the need for more powerfull more efficient boilers led to an increase in failures that could not be hidden or ignored. Thus Parliament passed safety legislation that caused science to become a proffession and artisans and craftsmen to become scientifically literate and thus become engineers.

Currently most people who write software are at best artisans, many due to the drudgery of commercial work find an outlet for their creative side in Open Source Software. Few use formal methods and many have no notion as to what they are. Software houses by and large have little or no interest in correct functionality let alone security. That is they care little about reliability or safety just getting bells and whistles to market. Interestingly untill very recently few commercial application software houses cared about a reputation for correct functionality, reliability, safety or security in their product releases. The exceptions were those who were making ICS and mission critical software. As the likes of NASA and others have shown correctly functioning software that is reliable and safe for use, needs to be engineered and this is an exacting and resource intensive process. One that the current application software market will not on any way support as they would be out of business before they got their next release out of the door.

A lookback at history shows that yes boilermakers took a hit when legislation came in but as they all took it at the same time they survived though it did effect the economy somewhat.

But one important thing came out of the process and that was fully tested fully specified and standardised parts. Because they were standard you had multiple suppliers and their properties were well known. This started the standardisation of parts which alowed greater efficiency with the advent of two world wars it became not just parts but whole sub assemblies that became standard. This enabled buildings to be produced way more efficiently and quickly than older methods.

And that is the point, the software industry needs to move from being artisanal to enginering.

Further programing of applications needs to become more like shell scripting that kicked off the idea of rapid prototyping. The majority of programers should not even be using what we call high level languaged, they should be taking standardised tasklets and scripting them together. That way productivity levels can be maintained but quality and security levels raised significantly, whilst also making maintenance and upgradability more efficient and sustainable.

[1] The earliest form of this was with the Uniform Postal Rate from Victorian England with the Penney Black stamp. It cost you a penney irregardless of if your letter was going one street, one town or the length or bredth of the country away. Likewise it did not matter if your letter contained one or one hundred words, it just had to be below a certain size.

Inability to Comprehend the Obvious August 1, 2017 9:26 AM

Elon Musk and Mark Zuckerburg recently had a public discussion over AI. Elon stated that Mr Z did not fully appreciate the threat from smart robots.
Mr Z was then mocked in this very column stating the benefits of robots over addicted zombies. One projected finding was no more advertising and data mining as the zombies die off.

Not a week later Facebook shuts off AI experiment after two robots ‘begin speaking in their OWN language only they can understand.’ Another learning moment!

Why go through life learning everything the hard way?
America already suffers enough from incompetent leaders.
My vote goes to Kid Rock!

ab praeceptis August 1, 2017 9:38 AM

Clive Robinson

Many interesting thoughts, indeed. However, lacking a sufficient amount of expertise and knowledge I’ll refrain from commenting on much of it (e.g. economy, sociology).

My – widely agreeing with the relevant aspects of yours – summary is very sad, too. It comes down to the observation that most developers haven’t even a proper understanding of their field and profession, and I do not even mean that technically.

We live in a highly complex world and abstraction and knowledge encapsulation are a major and frighteningly often not understood part of our profession.

Two examples:

We do not need to know the registers of some controller and the involved mechanism. A driver does that for us; it abstracts and encapsulates knowledge. So, say, an OS developer can simply do things like “write those bytes to the disk”. But he himself also abstracts and encapsulates knowledge, allowing application developers to not need to know how en detail the file system works; he can simply say “OS, write those bytes to file a/b/c”. And so on and so forth.
Similarly an application developer needs not to know the innards of, say, aes. He can simply say “encrypt those bytes using key xyz”.

We humans are, well, human. Which is very much different from processors. Plus, usually we (developers) work for other humans who do not even care about anything wrt. IT. The accountant, the architect, the railway controller, they just want something done and – important – they express that something in their language and based on their thinking.

As a consequence we are to be interpreters and transformer and doubly so. First, we need to transform the clients task description into something we can work with; we need to “translate” it from his to our world. And then we need to transform our design of the solution into something the machine can digest and work with.
So, our work starts on a very abstract and human level, often with a task described in another “language” and thought frame … and ends with registers, addresses, and cpu ops.

An added problem is the fact that phase 1 (client – sw people) may or may not be verifiable. While most would probably argue that it’s quite simple for the client to see whether what he got is what he wanted, things often aren’t that simple in reality. Example: what client wants often changes during dialog as he learns about things he didn’t know or think of. Other example: No, client can not simply see what he gets as actually he usually just sees the effects of the software and not the mechanics.

Phase 2 seems to not even exist in many developers heads or is solved by a compiler/linker run not puking and the software not evidently crashing. However, as many unpleasant cases and even desasters should have tought us, it’s far more complex. In fact, I’d submit that verifying that the code we produced actually corresponds to the (often non existing) specification is a major part of the task.
Not having verified that “the software works” is but meaningless stuttering.

As for economical, social, or political aspects of what you wrote “my belly” largely agrees but I feel unqualified on much of it.

Some factors, however, seem strikingly clear. One is the (progressed very far) stupidization of the people and the “functionalizing” them into obedient and mindless consumers and work bots who happily carry the fruits of their labour to some gadget shop to buy plunder and who seem to be quite content to enjoy some utterly meaningless “freedoms”. Another factor is the painfully evident rule of the 0.1% who mercilessly abuse, plunder, and enslave anything and everything to get what they want (which usually is simply “more!”).

One final remark as you happened to address it, too, albeit from another angle: bloat. I fully agree with you and add that bloat – as well as eternally bug ridden software in ever new versions – are not considered as problems but rather as assets and desirables and even foundations by quite many in the 0.1%. After all, both the corporations and the deep state (insofar as there is a difference) win. Granted, the citizen herd is losing and paying (and sometimes bleeding) but then, isn’t that just the norm?

Yet another reason to write good and bloat-free software (obviously not in C/C++, java, javascript, etc.).

Dirk Praet August 1, 2017 10:42 AM

@ Clive

So my viewpoint has changed over time, we need sociological security more urgently than we need technical security.

I couldn’t agree more. It is not until there is wide-spread awareness of the importance of digital privacy and security that people will start to demand it and hold accountable those withholding or jeopardising it. I have never understood that in a country like the US where the right to protect your physical security with guns is even enshrined in the 2nd Amendment, so few care about their digital rights and security.

And that is the point, the software industry needs to move from being artisanal to engineering.

Now here’s something we all can agree to. We all would like to see formal methods and formal verification resulting in fully tested and specified, standardised parts. The only question is how we can possibly achieve that all while making it economically viable in the context of an industry that like most others is nothing but a race to the bottom.

Personally, I don’t think it’s gonna happen until a 9/11-like cascaded infrastructure failure hits millions, causes unspeakable damage, sends a couple of big-wig tech CEO’s to jail and has opportunistic politicians outbidding each other to come up with the most draconian piece of legislation to please their gullible electorate. And which still carries a major risk of turning the entire industry into a very closed bigcorp and government controlled environment.

@ ab praeceptis

I doubt that Thoth is an example demonstrating your point.

We’ll let @Thoth himself be the judge of that.

And, NO, the oss world would not come to a stand still.

When a guitarist can no longer perform on stage before he has become a technical virtuoso, then very few will remain. When guitars themselves can no longer be played until they have been formally vetted and certified for a particular purpose, few models will remain. It’s no different in software development.

Funnily you repeatedly ignore the festering abscess I mention

In one of my earlier post I explicitly acknowledged the mess we are in today and for the reasons you mention. Whilst I concur with your thesis, I completely disagree with your absolutist view, your relentless bashing of those who at least try to mitigate the situation with whatever little means they have, as well as your utter disregard for the average Jane and Joe and the non-state actors they are up against.

I did exactly that and never regretted it.

So if my understanding is correct you are running a successful SMB that is selling highly secure software and services. May I then inquire into which commercially available products (and services) we are talking about? And no, a one-man company doing custom work for 3rd parties doesn’t count. That makes you just another (expensive) hired gun. And just how much of all of that is (F)OSS?

ab praeceptis August 1, 2017 11:45 AM

Dirk Praet

([Clive] the software industry needs to move from being artisanal to engineering.) … [you] Now here’s something we all can agree to. We all would like to see formal methods and formal verification resulting in fully tested and specified, standardised parts.

That is not what your posts to me suggest.

When a guitarist can no longer perform on stage…

a) Why the switching to completely different images? Let’s stay in the software field.
b) BS. Again: I want higher standards and responsibility for certain sensitive areas – not for any and all software.
In fact, I would even be fine if hobbyists continued to fumble with their “OS” or ssl. All I want is that there are clear standards that are binding for some usage scenarios and that there is a clear marking.

The linux hobby group, for instance, could continue – but their stuff would lack any professional acceptance and could not be used e.g. in hospitals, airplanes, etc.

My impetus isn’t driving hobbyists away from their favourite toys. It is to keep them out of certain sensitive areas.

your relentless bashing of those who at least try to mitigate the situation with whatever little means they have, as well as your utter disregard for the average Jane and Joe and the non-state actors they are up against.

Depends on how you define mitigation. If “here, take that lollipop and some aspirine” is considered as mitigating aids or lung cancer you are right. Just ask e.g. the diplomats whose email (routed through tor) was collected…

As for Jane and Joe and non-state actors – stop the bullshitting already! I’m tired of your wanton coming up with made up allegations. Don’t confuse your ideologically driven subjective perception of me with the reality.

Which part of “your game was played for decades and just look at the nightmare we’re in!” do you fail to understand?

OpenBSD has a great and smart team, plenty experience, and the right motivation – yet there are 100s of potential vulnerabilities in it. C/C++/java and no formal spec nor verification are two monstrous factors pretty much all of crappy software have in common. How much more obvious do you need it? Does it need to bite your nose or explode your dog for you to recognize it?

And while you talk about “social” and “freedom” … how about the freedom not to be hacked and eavesdropped?

JG4 August 1, 2017 2:42 PM

this jogged my memory of the assassin/mercenary/drug-dealer whose story was linked here last year – the name might be Paul Theroux. haven’t seen a peep about it in the news in the interim

security is an adaptive system, not unlike other systems, having inputs and outputs, intermediate states, and failure modes.

News of the Wired

“Dynamics of medieval cities” [Understanding Society]. “Cities provide a good illustration of the ontology of the theory of assemblage (link [this is interesting — lambert]). Many forms of association, production, logistics, governance, and population processes came together from independent origins and with different causal properties. So one might imagine that unexpected dynamics of change are likely to be found in all urban settings…. This study presents a fascinating contemporary test of a thesis that would surely have interested Pirenne almost a century ago: did medieval cities develop spatially in ways that reflect a reasonable degree of freedom of choice among residents about where they lived and worked? And the data seem to confirm a ‘yes’ for this question.” Sounds better than Manhattan today. Or London in Sloan Square or Kensington (particularly the Grenfell Tower area).

“Behavioral self-organization underlies the resilience of a coastal ecosystem” [Proceedings of the National Academy of Sciences]. “Our paper provides clear experimental evidence that spatial self-organization profoundly increases the ability of ecosystems to persist in the face of disturbance.”

“Is There a Giant Planet Lurking Beyond Pluto?” [IEEE]. Yes. That’s where the aliens set up their Interstellar Customs and Quarantine Station.

Dirk Praet August 1, 2017 3:04 PM

@ ab praeceptis

I’m tired of your wanton coming up with made up allegations. Don’t confuse your ideologically driven subjective perception of me with the reality.

And I am tired of your name calling, belittlement, twisting of my words, inability to understand comparisons or metaphores, straw man arguments and refusal to give straight answers to perfectly valid questions.

I respect your knowledge and experience as an expert programmer, but I can easily understand why a growing number of visitors of this blog and even our host himself get irritated by your discussion style that ultimately demeans your entire point and even makes some think that you’re a government agent.

ssid stuff August 1, 2017 3:36 PM

A number of people in the usa, in an apartment like setting are willing to share their individual wifi connectitions from their respective ISPs. Background

Their is some overlap of wifi signals from separate ISP accounts. The users aren’t particuliarly tech savy and probably want to “keep it simple stupid”. For example, sort-of a mesh wifi network.

One idea is to have:
1) as the guest network name at various non-overlapping locations
2) in the vicinity of 1)s have neighbors choose SSIDs like,,, or (pet_name, author, artist, or other)
3) thus users in an area could pick SSIDs based on signal strength or availability at the time (rather than seeing just one SSID)
4) it would be nice if people moving around with tablets, laptops, etc., in the area would have a relatively good experience getting their messages, mail, chats and other connectivity.
4b) post this around
5) hope that or might consider getting involved in potential litigation if things came to that

Does having multiple ssid names, not just one guest ssid, sound like a reasonable idea?

Feedback and other ideas would be appreciated?

I know Bruce has written about this before. For example in his book Schneier on Security or in Wired magazine and I am curious what his thinking is now.

In a world where individuals in different countries routinely access the web from different open wifi SSIDs at least the surveillance states might have to work harder to “collect it all” and “use it all”, especially if VPNs, and tor, are going the way of dinosaurs.

not the brightest bulb August 1, 2017 4:37 PM

Thanks for the link above.

“Whatever you use anonymity for, hopefully it’s a good purpose, not scummy.” Regarding an Apple tor relay, I think it is configured not to use a TBB (relay only; but the MacIntosh running the relay is available for word processing, non-torrified safari, VMs, and so on). Regarding scummy, traffic from various tor users of types: may pass through the relay. In addition, regarding scummy, traffic from the “four horseman of the apocalypse”, not mentioned in the latter above link, may pass through the relay. AFAIK, you can’t pick and choose your tor relay traffic easily.

Regarding traffic shaping or tor traffic shaping and the like, does anybody have an opinion regarding if tor is a net positive for usa spooks, law enforcement, and the like. Since presumably they use it, too, of course. For some other countries, because of traffic shaping and tor traffic shaping like issues, perhaps spooks, law enforcement and the like in other countries find tor in a less positive or net negative light.

Clive Robinson August 1, 2017 5:13 PM

@ tyr,

It can’t be that hard to detect motion

It’s relatively easy to detect movment in a certain range with a tuning fork gyroscope. But there are problems not least because it does not tell you what type of movment it is.

For instance I’m sitting in a chair typing this, but because I suffer from muscular skeletal problems I fidgit when sitting down to ease the pain. Thus my phone is moving around in ways not disimilar to some one walking and typing.

Thus the tuning fork gyroscopes are not upto the job of measuring geographical displacment as I mentioned before.

GPS can detect geographical displacment of more than ten meters or so, but only by integration. The longer the integration the more accurate the measurment. But that integration needs to be long thus slow to detect a person walking around in small circles outside a bar door etc. But again it takes a while to work out actual parambulation as opposed to other body movment like trying to move your head and sholders around in a noisy environment to find a lower noise null etc.

Even if you overlap the info from the tunning fork gyros and GPS you will get both edge and corner cases.

All of which means the detection is going to have both false positives and negatives, or to put it in engeneering parlance “it’s going to be flaky”. And the one thing that kills product in any kind of consumer review is the word “flakey” or any synonym for it. It triggers some primeval part of the brain and sends people heading for the trees.

not the brightest bulb August 1, 2017 6:04 PM

@ab praeceptis, @Clive Robinson, @Thoth

Thanks for your professional and skeptical opinions regarding tor

From ab praeceptis
“c) […] Moreover, using tor can wake up sleeping dogs, paint a target on your, and generally turn against you.” This may be the “fly in the ointment” regarding using tor.

From Clive Robinson
“0, Humans are born helpless.”
You may know that “learned helplessness” from psychology, Mitchell and Jessen were part of the US Torture program.

From Thoth
“Now that China and Russia have mandated that VPN and such surveillance circumvention tools (including TOR) as illegal, this will spread even further and the whole World would be affected which would include the once open and libre European countries and US which would likely follow suite.
Good luck with trying to setup usable and somewhat reasonable assurance security with shaky foundations and anti-privacy laws closing in.”

Thoth August 1, 2017 9:58 PM

@Clive Robinson

It is rather spooky that the dire privacy and personal security crisis dealt by Amber Rudd, Theresea May et. al. in the UK is much much worse than I do expect.

Amber Rudd argued that “real people” don’t need or use end-to-end encryption.

This is rather distorted.

How about conductong financial transactions over unprotected HTTP since it’s encryption and is anto-establishment !


Figureitout August 1, 2017 10:16 PM

–Don’t think I’d really want that feature, the occasional lockups from false positives would lead me to want another phone.

I certainly fail to understand WHY software written by corporations is better
–That’s not the argument, it’s a pretty simple one, we live in a world run by money whether you like it or not. 1) Most people do their best work during normal working hours (earning a paycheck to eat/live), 2) Not having funds for basic necessities (in technical industries, we need tools that cost $$) will result in worse quality or even shutting down.

not the brightest bulb
–Yeah, it’s also how people can behave when you can do/say things w/o anyone knowing it’s you. Some of the bullying/suicide encouragement comes to mind…

Thoth August 1, 2017 10:58 PM


How to make E2EE chat apps relevant in the face of Governmwnt crackdowns. Let’s put aside high assurance stuff like data diodes and go with medium assurance first.

  • Micro payment probably with some P2P setup (Wechat style)
  • Bitcoins/Altcoins transaction forwarding.
  • Mass Incident Response messaging system.
  • Business communicator (including corporate B2B messaging).
  • 2FA over E2EE chat. One example is E2EE-OTP messaging.

  • Accounts reset code and links over E2EE chat.

  • Subscription based notification and news agreggatiom over E2EE chat.

These are some ideas. It might seem yucky but this is the better way to keep E2EE chat being relied upon to prevent wreckless legislatures from destroying it.

JG4 August 2, 2017 9:02 AM

Big Brother is Watching You Watch

Amazon Echo can be turned into a spying device, security researchers reveal AndroidGuys. Chuck L: “Apparently the vulnerability has been fixed on the 2017 version of the device, but owners of earlier ones should heed this advice:”

…in order to successfully hack the speaker, a hacker would need to have physical access to it. So you might want to lock your Amazon Echo away when your computer wiz cousin comes over for a visit. . . the attack can be carried out by removing the Echo’s rubber base to reveal 18 debug pads which can be used to easily debug the device. From there, hackers would be able to boot directly into the firmware by attaching an SD card or install malware without leaving any actual physical traces.

US lawmakers are trying to fix the security nightmare that is the ‘internet of things’ Business Insider (David L). It’s not fixable. For starters, manufacturers go out of business and there is no one to continue to be responsible for the device. And notice the article insisting we must submit to having spying devices. I’m going to continue to buy stupid devices. In fact, given the tone of this article, enterprising readers with attics should stock up on non-IoT-infested devices (anything that runs off electricity is expected to be chipped someday) for their own use and perhaps future sale. Or you could figure out how to turn your entire home into a Faraday cage and engineer carveouts for select devices.

Imperial Collapse Watch

Trump’s new Air Force One planes could come from bankrupt Russian airline Guardian

book_review August 2, 2017 11:08 AM

From a JG4 link, I think. Jeremey Scahill and Alfred McCoy talk about empire. “McCoy argues that the 2003 invasion of Iraq was the beginning of the end” of United States empire “. McCoy is not some chicken little. He is a serious academic. And he has guts.”

Arundhati Roy’s, 13 May 2003, address at Harlem’s Riverside Church, which was delivered “soon after President Bush landed on the aircraft carrier and announced all hostilities were over in Iraq.” is called “Instant-Mix Imperial Democracy, Buy One Get One Free.” You might want to read it or listen to it.

David Ignatius on North Korea

From the London Review of Books, with some history on North Korea
“Today that problem has undergone a new twist. Trump has by and large handed the national security apparatus over to the generals. Now wearing three stars but still an active-duty army officer, McMaster occupies the post of national security adviser. Career military officers, active and retired, fill numerous positions on the National Security Council staff. The defence secretary is a former four-star general. So, too, is the secretary of homeland security. Truman, I imagine, wouldn’t have approved; it’s possible MacArthur would feel vindicated. The rest of us watch with a mixture of curiosity and trepidation.”
Now another general is chief of staff at the white house.

Finally, talk of the town inside usa dc beltway, for a few days

book_review August 2, 2017 12:21 PM

“Now another general is chief of staff at the white house.” should be “Now the general who is chief of staff at the white house used to be secretary of homeland security.”

JG4 August 2, 2017 4:57 PM

News of the Wired

Sums it up (and I enjoyed programming):

‘programming’ is a delightful pastime in which you debug for hours only to discover the real problem is: you can’t read, and you can’t count

— catnip nerevarine (@direlog) July 16, 2017

“It is easy to expose users’ secret web habits, say researchers” [BBC]. “The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather ‘clickstreams’.” Via browser extensions.

JG4 August 3, 2017 6:51 AM

not so long ago, I posted this comment

Empire is a machine, driven by greed, conflict of interest, amorality and hubris, that crushes bodies and souls to make money and power.

it needs an update in light of adaptive system theory

Empire is an adaptive system, driven by positive and negative feedback terms, that crushes anything required to maximize entropy.

unfortunately it will crush your throat with Orwell’s boot if that increases the entropic satisfaction of the insiders. it also crushes any rules that hinder maximization of entropy.

Concurrency, Integrity, Availability – pick any two.

There should be a side-channel attack on Intel’s Management Engine using a near-field antenna on the CPU package, and/or memory and/or data and address lines. The signals at the antenna are demodulated and fed to an artificial neural network, which uses feedback to recognize the difference between normal operation and subverted operation. Far from a working system, but perhaps a useful and reusable concept.

Rabbit ears are back! Antenna sales back on the rise as millennials are shocked to discover broadcast TV is FREE Daily Mail

UPDATED: Siedle, Raimondo Critic, to be Awarded $48M in SEC Record Whistleblower Case Private equity sleaze.

Steep fees call into question bitcoin’s promise for the underbanked America Banker

Our Famously Free Press

Using Tech Tools to Do Data Reporting NYT. I guess that’s why the Times could axe 27 reporters and gut the copy desk; they’re going to do everything with data! Oh, and video.

New Cold War

HAMILTON 68: DASHBOARD TRACKING RUSSIAN PROPAGANDA ON TWITTER German Marshall Fund Alliance for Securing Democracy. From the FAQ:

The Hacking Wars Are Going to Get Much Worse NYT. “It’s only a matter of time before a state’s response to a cyberattack escalates into full-blown military conflict.” And if I were looking for the mother of all self-licking ice cream cones, cyber, where attacks have attribution problems that are (purported to be) solved only by intelligence community technocrats working in secret, would be my ideal candidate. Not that I’m foily.

vas pup August 3, 2017 8:16 AM

@all I noticed some of our respected bloggers (I am guilty as well)have dogmatic thinking on some issues. That should be useful reading how handle it.
Dogmatic individuals hold confidently to their beliefs, even when experts disagree and evidence contradicts them. New research from Case Western Reserve University may help explain the extreme perspectives, on religion, politics and more, that seem increasingly prevalent in society:

Clive Robinson August 3, 2017 9:22 AM

@ JG4,

Using Tech Tools to Do Data Reporting NYT. I guess that’s why the Times could axe 27 reporters and gut the copy desk; they’re going to do everything with data! Oh, and video.

The idiot behind the idea is the NYT CEO who previoulsy was the Director General of the UK’s BBC, where he decimated news and journalism to the point it was easy for the Rupert Murdoch runts to use it as a significant advantage in their desire to destroy the BBC and other UK broadcasters.

I would be unsuprised to find he was on the take from News International / Fox etc in some way either directly now or “on a promise” for future lucrative benifit.

But as you might know I’ve been warning about his behaviour for some time now. Let’s just say his stupidity / perfidy is less becoming less covert these days…

furloin August 3, 2017 6:23 PM

@Slime Mold With Mustard
So does that mean wannacry was created by the USA IC? That would be mind boggling to me. Why shoot yourself in the foot instead of just patching the vulnerabilities before releasing it? I am never visiting def-con or the USA if that’s how researchers are treated there.

Thoth August 3, 2017 6:26 PM

@Slime Mold With Mustard

This is how the US Govt says Thank You to whitehat security researchers for stopping malware infection. They depot, detain and coerce the target.

The best way to do security research is not to do with a real name or a real identity and to use pseudo-nonymity which doesn’t exist anyway.

Maybe the best choice of action after discovering a means to stop a malware is to keep low and protect oneself.

Honestly, the current climate is simply not conducive for publishing free and open security research due to the uncertainty of what might follow later on. It is best to figure something out and stay quiet.

Thoth August 3, 2017 6:36 PM


The US and 5Eyes ICs are seemingly behind many strains ans types of malwares and who knows what you said might have a chance of being true.

Regarding travelling to the 5Eyes territories, it is high on my black list of nations to travel to these days and they should well be high on the black list of any sane security researcher unless they are willing to gamble on not being kidnapped by these countries’ Govt and become one of the missing population.

JG4 August 3, 2017 8:57 PM

the original quote was a work of art, after it included greed, hubris, amorality and fear

“Empire is a machine driven by feedback to crush everything in the path to entropy maximization” doesn’t have quite the same resonance

eventually, the feedback terms destroy the machine, but not before it has maximized your entropy. the resulting high-entropy environment is a lot less nurturing than what went before.

the afternoon news dump

The Bezzle: “Billionaire investor Marks, who called the dotcom bubble, says bitcoin is a ‘pyramid scheme’” [CNBC]. “‘In my view, digital currencies are nothing but an unfounded fad (or perhaps even a pyramid scheme), based on a willingness to ascribe value to something that has little or none beyond what people will pay for it,’ Marks wrote in the investor letter Wednesday.” Two competing theories of value, there.

The Bezzle: “[A] photo taken by VICE of a recent arrest in Brooklyn appears to indicate law enforcement has done more than come to terms with the existence of Uber—and may in fact be using the company’s logo as a disguise for undercover work” [Vice].

The Bezzle: “Facebook shuts down AI after it invents its own creepy language” [Daily Dot]. This headline is the idea that propagated, but the lead is buried, and it’s not a technical issue.

Concentration: “‘This handful of companies [Apple, Microsoft, Amazon, Facebook] is writing the operating system for the new economy,’ said Brad Slingerlend, lead portfolio manager of Janus Henderson’s global technology fund. ‘The bigger companies are both able to collect data and use that data to build into adjacent businesses’” [The New York Times].

Big Brother Is Watching You Watch
“In China, internet censors are accidentally helping revive an invented ‘Martian’ language” [Quartz].

Another contribution:
Moon of Alabama @MoonofA
.@selectedwisdom @propornot honorably lists my website as Ru propaganda. Request to add my Twitter account to your tool. @intelwire @gmfus
7:56 AM – Aug 3, 2017

Class Warfare
“Infinite Peepshow” [Logic]. (The print version also includes “The Mother of all Swipes” by Marie Hicks. “A working-class woman from East London invented computer dating more than half a century ago. Fascinating!)

News of the Wired
“We have unrealistic expectations of a tech-driven future utopia” [Recode]. No, “we” don’t. I find the Jackpot perfectly plausible.

Clive Robinson August 4, 2017 4:54 AM

@ SlimeMould…, furloin, Thoth,

The UK Guardian Newspaper that @Bruce used to wrote opinion pieces for, has a piece about Markus Huttchins, who was arrested by the FBI at the airport,

Marcus is not saying anything and has claimed 5th amendment rights, (let us hope he did it correctly) because he had no representation according to the article and is due back in court today.

The FBI he wrote or is involved with the Kronos malware. However the FBI are known to go overboard with foreigners who are briefly in the country (remember the Russian researcher who revealed that Adobe app encryption was compleate crap).

In essence the FBI MO is “grab, scream, deny, blackmail and export” the latter two to prevent the person from suing the FBI for damages etc.

A point that non US citizens should note, is that as far as we know the researcher Marcus Huttchins has not committed any crime, anywhere, let alone in the US.

On the assumption he did write some code that did get incorporated into Kronos. Firstly the code may not be exploit code (ie attack vector or payload). Secondly malware writters are not exactly unknown for stealing every bit of code they can from other places. Even the US & Israeli IC’s do this, as have corporations like Sony and many many more.

Likewise a very large number of everyday “code cutters” cut-n-pastes from any place they can find on the Internet. Put simply if you put any example or other source code up on the internet some one is going to “borrow” it usually without credit or payment etc etc.

It’s also quite common for malware research example –like Proof of Concept (POC)– code to get circulated and copied.

And let’s be honest the FBI have a bad reputation of trying to prosecute foreigners to points way way beyond that they would do to US citizens because as far as they are concerned there are no downsides to doing so. Because few US citizens will care about foreigners in trouble so no newsworthy protests, and if they can not find anything that will work in a court they keep threatening “you will die in prison” then do a deal to get the person out of the country never to be alowed back to fight for their rights etc. It’s an age old process that any criminal defence lawyer will tell you about, it’s called “Rights Stripping”. We’ve seen it with the witholding of evidence such thst the DoJ can claim that a person “Has no standing” and the court kicks the case out. Oh and as has been shown the FBI are not above a little manufacturing of crime, which most would call “Deliberate Entrapment” or worse. Likewise as has been discussed here often the cyber legislation is realy realy badly written and of such wide scope to the point you could be convicted reading the screen of an unattended computer like an ATM or advertising hording facing onto a public walkway…

So we will have to see how this plays out.

But as I’ve said befor my name has been associated with a DMCA takedown, thus as far as I’m now concerned the US is off of my travel itinerary even for flight changes.

Clive Robinson August 4, 2017 6:27 AM

GRSecurity sue Linux “Personality” for defamation

Bruce Perens seen as a “Linux Personality” by many made various comments on his blog about GRSecurity and the method they have decided to use to protect their IP from certain well known software houses. GRSecurity has decided that enough is enough and that Bruce Perens should stop presenting factual misrepresentation –and thus defamation and restriction of trade– as protected speech…

At the heart of this is the GPLv2 terms and conditions. Which is going to get a mauling in the defemation case irrespective of what others would hope. Also it brings another case into court that will probably end up effecting how free speech is seen in future.

Which means this case is going to make this case interesting to a lot of people. Rather more than did the SCO-v-Linux case[2].

It will also almost certainly effect how published sample, for education and POC source code is seen which has unfortunatly become an increasing mainstay of how code cutters maintain productivity levels. Which means many corporates are goingvto take a close interest[2].

Contrary to what some may think this is rather more than a nuisance case, it has real IP issues at heart and could become a real slugging match.

In essence GRSecurity and many others do not hold Linus and his behaviour with regards Linux Kernel code very highly[1].

Therefore GRSecurity have developed quite a large amount of IP with regards the Kernel and the toolchain used to build it, which they have assembled into patches. Whilst Linus in his usual foolish way spouts of short invective at GRSecurity which is seen by most as “Linus’s way” Bruce Perens is usually a lot more circumspect.

However Bruce has made statments about the GPLv2 he has presented as fact, which he appears to be not qualified to say… Thus GRSecurity’s claim.

[1] In fact Linus’s competence with regards to security has been called into question in the past (over the random generator) and he had to grudgingly backdown.

[2] I wonder if Microsoft will give financial assistance as they did to SCO some years back.

Clive Robinson August 4, 2017 6:47 AM

Auz claims major terrorist plot foiled

In todays news is that Australia has foiled a sophisticated aircraft bombing attack by a Islamic State linked terrorist using parts imported from Turkey…

Apparently the suspects having received the parts did not procead with the plan. Which appears lucky because “inteligence” and raids did not happen till after the original planed dates. There are a bunch of other odd statments as well.

Is it just me or have other peopke noticed that many of these supposedly “foiled plots” occur in the 5eyes nations implementing the most draconian privacy invasion yet seen. Coincidence? Cause and effect? FBI style create a terrorist entrapment?

It’s interesting to see Turkey being fingered, they would have been on the US “5h1t list for MSM sound bites” like North Korea, Iran, China and currently Russia if they had not scored bonus pixie points by shooting down a Russian aircraft involved with supporting the Syrian Regime (case of my enemies enemy).

Oh international politics is a fun game…

JG4 August 4, 2017 6:50 AM

this has a little more resonance, but I miss the greed, hubris, amorality and fear

“Empire is an unstoppable machine driven by entropy maximization to crush everything in its path”

I forgot yesterday to tie adaptive systems back to OODA. the problem with all of these systems, including the FBI (which is an empire within empire), the sickcare-financial cartel, and scammers is a) that they are adaptive systems, at least until they fail to adapt to new environmental conditions, b) the feedback mechanisms cause these systems to optimize revenue, c) the the systems have hidden feedback terms and paths to enrich the insiders. we have touched on how these systems use active disinformation campaigns to enhance achievement of a), b) and c). the military-industrial complex is a fine example, where overselling the cold war and the missile gap led to billions of dollars of private profits, back when a billion here and a billion there was real money.

there was a good article yesterday at NakedCapitalism about how the scammers operate and how they are constantly probing for cognitive flaws.

I assume that people much smarter than I am already have applied these concepts to computer security. If not, this is a ripe area. I’ve mentioned before that living systems are adaptive with different timescales of adaptation for genetics, epigenetics, enzyme-substrate feedback, and reflex, which is even faster than intelligence. what OODA doesn’t capture is the adaptation step, where the feedback terms (matrices and/or tensors) are set up and adjusted over time. in biology, that is variously called evolution, where death is the sculptor of life, and training, where the features of the environment are internalized. some or most of the matrix terms are preset, which can be called instinct. for example, children born into poverty and violence have an epigenetic predisposition to violence, which is quite healthy from an estimation theory point of view. another nice example of adaptation is innoculation against viruses. the concept carries over more or less cleanly from biology to computer security.

we can think of OODA as being a set of matrices or tensors, that sequentially project orthogonal basis terms (principal factors) out of the appropriate data sets. empires do these steps automatically, but adaptive computer security systems have to use a mix of experience and prediction. the observations are some kind of sensor inputs, which could include the side-channels, network traffic, etc. the orientation step generally includes some knowledge of the past, so as to be able to make sense of the observations and the information projected out of the sensor data. the decide-act steps should apply some cost/benefit and estimation theory to the state generated by the previous two matrix (or tensor) multiplications. in robotics, the act step generally would use actuators to change the position, velocity, etc. of the machine. in a computer, it is parameters, addresses, algorithms, etc. that are altered in response to environmental inputs. if the system is designed for security and robust function, the CPU resources could be throttled to processes that are not critical. submachines could be reset to known states.

Have Smartphones Destroyed a Generation? Atlantic (resilc). Key quote:

Rates of teen depression and suicide have skyrocketed since 2011. It’s not an exaggeration to describe iGen as being on the brink of the worst mental-health crisis in decades. Much of this deterioration can be traced to their phones….There is compelling evidence that the devices we’ve placed in young people’s hands are having profound effects on their lives—and making them seriously unhappy.

Bitcoin split is a flop — so far Reuters (Li)

What Einstein’s Brain Tells Us About Intelligence, According to the Scientist Who Studied It Inc (David L)

Leaked Photos Link Corbyn To Known International Terrorist Waterford Whisper News (PlutoniumKun)

After FARC disarmament, Colombia is delivered entirely to paramilitary branches of ruthless corporations failed evolution

New Cold War

Russia Sanctions and The Coming Crackdown on Americans Ron Paul Institute

Big Brother is Watching You Watch

This Mysterious Military Spy Plane Has Been Flying Circles Over Seattle For Days The Drive

Facebook’s related articles will add fact to fake news shares – Endgadget. Chuck L: “Thankfully, Facebook takes upon itself the responsibilities of the Ministry of Truth.”


Wisconsin company to install microchips in employees Daily Mail (Brian C). The program is voluntary…for now…

Verizon’s latest rewards program shares gobs of your data (updated) Endgadget (Chuck L)

Review: GPS trackers for children Financial Times

Dumbo Wikipedia

How the CIA Came to Doubt the Official Story of JFK’s Murder Politico (David L)

Dirk Praet August 4, 2017 7:20 AM

@ Thoth, @ Slime Mold With Mustard, @ furloin

This is how the US Govt says Thank You to whitehat security researchers for stopping malware infection.

Without questioning the less than friendly disposition of the USG towards security researchers, what I understand from the article is that Marcus Hutchins was arrested on conspiracy (18 USC 371), CFAA (18 USC 1030) and ECPA (18 USC 2511-2512) related charges for his alleged involvement in the creation of the Kronos banking malware, not for his work on WannaCry.

@ Clive

… the cyber legislation is realy realy badly written and of such wide scope to the point you could be convicted reading the screen of an unattended computer like an ATM …

Spot on. The 1986 CFAA is an amendment to the Comprehensive Crime Control Act of 1984, predates the internet and was a direct result of the cult movie “War Games”. In its current form it is overly broad and can easily be used to jail any minor offender or even legitimate security researcher for decades, or, as in the case of Aaron Swartz, prosecute them into suicide. Despite eight amendments, its core remains untouched and all attempts to modify it – like Aaron’s Law – went exactly nowhere.

The Software and Information Industry Association (SIIA), counting among its members Oracle, IBM, Red Hat and Google, is one of the strongest opponents to any change.

In practice, it means that any security researcher who for whatever reason has provoked the ire of either the US IC or a corporate entity can be arrested at any time when entering the US, either on real or bogus charges, and that it is thus not in their best interest to even consider attending conferences like Black Hat or Defcon. Especially those with something to hide. The NSA knows what you did last summer.

GRSecurity sue Linux “Personality” for defamation

The way I read the indictment, it’s less about GPLv2 than it is about defamation, i.e. making false statements with the intent to hurt GRSecurity. This is an obvious attempt to silence Perens, whom I personally think is correct about the heart of the matter and has also explicitly stated in his posts that he is not a lawyer, merely a technologist with an interest in IP related matters. Which makes GRSecurity’s argument rather moot.

I do kinda like the statement of their lawyers: “No court of law has ever established that a statement implying a false assertion of fact is constitutionally protected speech, and we intend to hold Mr Perens accountable to the fullest extent permitted by law.” This is factually incorrect and would put entities like Fox News or current POTUS in a world of legal troubles.

GRSecurity : Strategic Lawsuit Against Public Participation August 4, 2017 8:18 AM

People here are confusing copyright with defamation:

“This is a defamation lawsuit, not a copyright infringement lawsuit. The only thing that will be litigated is whether Mr. Perens has a right to express his opinion. And he did. If expressing an opinion about a legal matter was defamation, then all complaints in lawsuits would be defamation too. The complaint in this lawsuit just can’t win.

So, you will not learn whether Grsecurity had a right to do what they are doing from this suit. That is a copyright matter and just can’t be litigated in a defamation lawsuit. This suit will only determine that Mr. Perens had a right to make his statement.

This is obviously a matter for the SLAPP law, which prevents deep-pockets entities from bringing spurious defamation lawsuits just to keep someone from expressing their opinion publicly. This sort of case is literally why the SLAPP law was made. Thus, it’s obvious that Peren’s law firm will make a SLAPP filing next, which will mean a swift conclusion to the case, and Open Source Security, Inc. will end up having to pay all of Mr. Peren’s legal expenses.

Note that Perens is using a world-class law firm that can handle any sort of issue, and a lead attorney who wrote a book about Open Source licensing. In contrast, Open Source Security Inc. is using a one-man law firm and all of their online reviews are about their patent filings. It sounds like Mr. Patent Attorney might have been naive to file this case, and his customer ill-advised. Open Source Security Inc. joins the list of litigious turkeys.”

From Wikipedia:
The typical SLAPP plaintiff does not normally expect to win the lawsuit. The plaintiff’s goals are accomplished if the defendant succumbs to fear, intimidation, mounting legal costs or simple exhaustion and abandons the criticism. In some cases, repeated frivolous litigation against a defendant may raise the cost of directors and officers liability insurance for that party, interfering with an organization’s ability to operate.[2] A SLAPP may also intimidate others from participating in the debate. A SLAPP is often preceded by a legal threat.

ab praeceptis August 4, 2017 9:26 AM

Clive Robinson

Let’s just sit down and think about that for a moment. grsecurity’s defense, if I got that right, pretty much comes down to “the gpl can’t and doesn’t make claims into the future”!

That’s pretty weird. grsecurity has a clause that says that customers who distribute (payed for) grsec. stuff to others will not get any more patchsets – future.
A rather weird position and a rather questionable one because, once a customer is “blocked” it’s not future but current reality.

What really made me LOL is this: grsec. puts their stuff under gpl, too! hahaha.

In other words: We see a case of gpl infighting. Nice.

The other point I find noteworthy in that case is that bruce perens in a way embodies what the gpl opponents frequently – and rightly – assert, namely that first the gpl comes all friendly and honeymoon but once you are in the trap they show their dictatorial face.

I remember well when many years ago perens was a major force in getting printer manufacturers to create linux drivers, too, or to at least provide the necessary information for linux people to write those drivers. So, perens formertimes did good things for foss.

Wael August 4, 2017 10:29 AM

@Dirk Praet,

The NSA knows what you did last summer.

Correction: NSA knows what you’ll do next summer, and which 0.0005 star resort you’ll reside in after detention. Truth of the matter is they have the technology. Have an open mind! I’m sick and tired of all these closed-minded people that label facts as “Conspiracy theory”. Conspiracy, my ankle 😉

Dirk Praet August 4, 2017 11:52 AM

@ GRSecurity : Strategic Lawsuit Against Public Participation, @ Clive

This is obviously a matter for the SLAPP law

It would indeed be the obvious strategy for the defense to pursue since the case has apparently been filed in San Francisco. California Code of Civil Procedure § 425.16 provides excellent (and inexpensive) means to kill this thing dead in the water, especially because their lawyer(s) seem(s) to be about as clueless as a Thomson’s gazelle asking a pack of lions for directions.

GRSecurity’s statement that their agreement only applies to future patches is a not even thinly disguised legal trick to work around GPLv2’s Section 6, and which every judge worth his salt would acknowledge as such even if the suit were about copy infringement, and which it is not. The recent Neymar transfer to PSG comes to mind, and which is a similar piece of legal (but immoral) high tech to work around La Liga and UEFA fair play rules.

@ Wael

NSA knows what you’ll do next summer, and which 0.0005 star resort you’ll reside in after detention.


@ all

The internet of sh*t strikes again: : which ignorant user near you do you want to rob today? Currently a huge thing in Belgium that has Romanian, Bulgarian and Polish burglar gangs working overtime.

StarterPack August 4, 2017 12:26 PM

Disclaimer: I have no idea what undisclosed evidence the FBI has on Marcus Hutchins (MalwareTech), and I’m not speaking from deep experience here, so I’m aware I may be drawing some naïve conclusions. That said…

Reading the indictment it appears that the US government is making some specific and detailed charges against the unnamed co-defendant. In contrast, it seems that they have little to hold against Marcus himself. They assert that he wrote and updated Kronos, but they don’t reveal any evidence for those assertions. The grand jury must have been given something to substantiate the charge, but the indictment gives no hint of what this was. This is in contrast to the allegations that the co-defendant took some very specific (and provable) actions.

Writing at the Volokh Conspiracy, Orin Kerr takes apart what those charges mean and (in a lawyerly way) casts a lot of doubt on whether someone who writes a software tool is culpable for actions taken by someone who bought that tool. But that analysis kinda pre-supposes that Marcus did actually write some portion of Kronos, which I don’t currently see any evidence for.

The clearest link between Marcus and Kronos that anyone has come across is this July 13, 2014 Twitter post where he asks for a sample. That request seems (a) 100% legal, (b) totally consistent with being a researcher fascinated with taking apart malware, which is what Marcus has said in various interviews, and (c) to make no sense for someone who was actually a developer behind Kronos. (I’ve read people saying “but maybe he was laying a trail of disinformation” and that just sounds like an implausible movie plot.)

For comparison, here’s </a href=”>a post on Kronos from IBM’s Security Intelligence blog two days earlier than Marcus’s request that acknowledges that researchers working for IBM’s Trusteer counter-fraud team are also seeking a sample of Kronos.

As others have noted, the fact that the co-defendant’s name has been redacted suggests either that the FBI does not have the defendant in custody, or that the defendant has decided to provide details to investigators. Assuming the latter for the moment, it’s possible that the identification of Marcus as the creator of Kronos was provided by this other defendant. It’s certainly plausible that this defendant, who allegedly marketed and sold Kronos, had his own reasons to falsely name a security researcher as the creator.

Returning to my disclaimer, we don’t know whether investigators have more compelling evidence that points directly to Marcus. Maybe they can demonstrate that Marcus authored Kronos or some part of it. If so, then the case is in the realm of Orin Kerr’s arguments about culpability for authoring a software tool. But at this point it’s entirely plausible that the indictment is based on some wild assumptions. If that turns out to be true, it raises important questions about the freedom of security researchers to do their jobs without laying themselves open to serious criminal charges.

Clive Robinson August 4, 2017 12:29 PM

@ Wael,

Have an open mind!

You should remember Terry Pratchett’s observation on that,

    The problem with having an open mind is, people will insist on coming along and filling it with all sorts of rubbish.

Clive Robinson August 4, 2017 12:57 PM

@ ab praeceptis,

Let’s just sit down and think about that for a moment. grsecurity’s defense, if I got that right, pretty much comes down to “the gpl can’t and doesn’t make claims into the future”!

That’s about what the GPLv2 might or might not say after appropriate consideration.

But is not what the case is about. GRSecurity is claiming that Bruce Perens has made non factual statments, and included GRSecurity in them in a way that has caused them –quantifiable– harm.

As for it being a SLAPP I’d wait and see what Bruce Peren’s legal representitive does, then what the judge has to say. The judge may decide the case has merit in which case an anti-SLAPP motion if made will have failed.

@ Dirk Praet,

Bruce Peren’s has frequently been seen as the “reasonable/moderate voice” but in this case he has behaved at varience to that. That alone should make peoples eyebrows raise. Especially when other companies are clearly breaching GPLv2 and GRSecurity is being harmed by this.

As for the “future argument” it is novel and actually reasonable. Put simply it says that anyone who pays GRSecurity for their work so far has certain rights, but those rights do not extend to furure work from GRSecurity. It’s a bit like a farmer saying you can buy my crops this year and give them away if you wish, but that does not entitle you to my future crops or to give them away.

Bong-Smoking Primitive Monkey-Brained Spook August 4, 2017 1:26 PM

@Clive Robinson,

The problem with having an open mind is, people will insist on coming along and filling it with all sorts of rubbish.

Makes total sense! I once had an open mind. The good news is it’s now closed. Problem is it’s full of all sorts of rubbish 🙁

Dirk Praet August 4, 2017 2:25 PM

@ Clive

The judge may decide the case has merit in which case an anti-SLAPP motion if made will have failed.

Content-based restrictions on speech are generally presumed to be invalid, although there are exceptions to that rule for certain categories of speech, e.g. defamation, fraud, and obscenity. Whereas plaintiff can indeed claim “legally cognizable harm”, the mitigating factor – unless proven otherwise – is the absence of intent to defraud or secure moneys.

Whether or not GPLv2 applies isn’t the issue, it is whether or not Bruce Perens had the right to voice his opinion and whether or not he told factual and deliberate lies with the intent to harm GRSecurity. The fact that plaintiff has to resort to a quite novel argument – that may or may not stand in court – in itself shows that the heart of the matter is very much open for debate, thus lacks any standing to be called a “factual lie”, even more so because Perens explicitly said that he was not a lawyer and his assertion merely an opinion, not a proven fact.

Whilst I am not denying that GRSecurity has been treated in an outrageous way both by Linus and others that have made significant profits on their back, this brutal attempt to hit back at Perens is not gonna get them sympathy anywhere. If I were them, I’d drop the case, hire another lawyer and sue the Linux Foundation over their interpretation of GPLv2 as applicable to their IMO quite valuable kernel security patches. Only when, and if proven right over the heart of the matter will they have any legal standing to bring on a defamation suit against anyone (still) claiming the contrary. Meanwhile, it is indeed a SLAPP.

Thoth August 4, 2017 6:39 PM

@Clive Robinson

Re: Turkey

I wonder what happens if Turkey gets pissed off with NATO and EU and flips side to fully and openly ally with Russia and China ? Any ideas ?

Ratio August 4, 2017 8:25 PM

@Dirk Praet,

If I were [GRSecurity], I’d drop the case, hire another lawyer and sue the Linux Foundation over their interpretation of GPLv2 as applicable to their IMO quite valuable kernel security patches.

The Linux Foundation would be correct in that assessment, given that GRSecurity has licensed their patches under GPLv2.

tyr August 4, 2017 9:38 PM

@Clive, Wael

I’m surprised no one has noticed that the
Rus now have a warm water port on the Med
coast. It also puts them on both sides of
the Turks. The Turks didn’t seem too pleased
with the interlocks of weapons systems so
decided to buy Russian air defence system.

Considering all the noisy rhetoric about
Reconquista 2.0 that should not have been
a surprise. You can see the same effects
in North Korea. MacArthur was fired for
his desire to nuke the north in 1953 and
they have been operating under the assumption
it is the USAs long term plans for them.

The trouble with conspiracy theory is they
usually turn out to be real. Snowden being
the latest confirmation. Not a week goes by
that some crooked bank swindle is exposed
to view.

I had high hopes for my cellphoney cure.. :^).

I find my cynicism and sense of humour the
way to compensate for the rubbish I’ve been
peddled over the years. Apoplexy might be a
result of taking things too seriously.

Check this out.

Quite an interesting creature.

Ratio August 4, 2017 10:42 PM

I’m surprised no one has noticed that the Rus now have a warm water port on the Med coast.

The existence of a Russian naval facility in the Syrian port of Tartus (طرطوس) seems to have come up repeatedly, even in mass media, over the past couple of years now. Usually in the context of some kind of obscure armed conflict nearby and reasons for Russian involvement in same.

Thoth August 4, 2017 11:21 PM

@Ben A

Re: Firefox Send

The best way to implement a self-destruct file transfer or data transfer is to use a tamper resistant secure hardware with a reliable timestamp bit as per usual, this is a lot of overheads and lots to trust anyway.

Wael August 4, 2017 11:55 PM

@tyr, @Clive Robinson,

What’s with your formatting, man? Are you using Edlin to compose your posts? I’m puzzled! I can’t copy them properly, either! Are you gonna tell me or do I have to analyze it in a hex editor?

The trouble with conspiracy theory is they usually turn out to be real. Snowden being the latest confirmation. Not a week goes by that some crooked bank swindle is exposed to view.

They say: there is no smoke without fire! ‘Labeling’ is an easy way out for those who can’t engage in an intellectual discussion.

Quite an interesting creature.

‘Creature’, huh? 🙂 Really fascinating read. So perhaps this creature came to earth on meteor or some other mode of transportation… I don’t know what to make of it except that there exists several paths of evolution. This was the strangest for me: Why is ‘ctenophore’ pronounced ‘ten-o-for’ or ‘teen-o-for’?

I find my cynicism and sense of humour the way to compensate for the rubbish I’ve been peddled over the years. Apoplexy might be a result of taking things too seriously.

You and me both.


You should have used the Phoenician alphabet instead of the Arabic one 😉

ab praeceptis August 5, 2017 12:56 AM


Will steganography go the same way as encryption and be unlawfully outlawed by war mongering greedy politicos who have no care about mathematics ?

My guess: No.

Reason: They’d probably love to but unlike encryption it’s in the nature of steganography that it’s hard to detect. To make it worse one could transmit encrypted data. Keep in mind that good encryption creates data material that is indistinguishable from random. Properly applied (e.g. random noising the whole carrier as opposed to only the part containing sg. content) it would be extremely hard for a prosecutor to win his case in court.

More importantly, there would be no “trigger” as with, say, https vs http where it’s ridiculously easy to recognize “that stuff is encrypted!”.

Clive Robinson August 5, 2017 2:31 AM

@ Bong Smoking…

Problem is it’s full of all sorts of rubbish 🙁

So the Bong is not realy a bong but an industrial grade incinerator…

Which means we woukd have to call you,

Mind Incinerating primate savant (MIPS)

In future 😉

Bong-Smoking Primitive Monkey-Brained Spook (MIPS equipped) August 5, 2017 3:45 AM

@ Clive Robinson,

Mind Incinerating primate savant (MIPS)

Savant! I love it. Two levels of indirection better than one itchy foot covering. I’ll use ‘MIPS equipped’ when I say something particularly ‘savantish’ like our friend of late (horn equipped) did.

Clive Robinson August 5, 2017 5:23 AM

@ Thoth,

Turkey has indirectly allied it’s self with China by alowing ISIS oil to be shipped through Turkey. As China and Russia have much warmer relations these days than they have done in the past, it may be a case of “My friends friend”. However they did as far as we know shoot down a Russian military aircraft that was engaged in actions in Syria possibly against the Kurds, which the current Turkish leadership hates, so there is a puzzel to contemplate.

With regards,

Will steganography go the same way as encryption and be unlawfully outlawed by war mongering greedy politicos who have no care about mathematics ?

Yes but for less obvious reasons.

You have to start by differentiating codes and ciphers. It’s the latter that tend to use mathmatics in their use not the former. Further codes are not one to one in their mapping or sizes which is why they are much more broadly usefull and are found in both compression, and error correction.

One use of codes is in One Time Phrases. These saw use during WWII with the BBC transmitting “Now for some messages for our friends…”. You pick a harmless set of phrases more or less at random such as “The cat sat on the mat”, “The dog chased it’s tail, “The frog hopped”, “The bird sang” etc to these you give one off meanings such as “Attack target A”, “meet at point x” etc. The enemy hears the messages but can not ascribe meaning to them. Further to reduce the chance of analysis you always send the same number of messages each time thus there are meaningless phrases transmitted as well.

You can do similar with personal communications on the phone or by letter. The difference is that the phrases have to sound natural within the rest of the letter or phone call.

The advantage as far as the authorities are concerned is that they can use such a banning law to imprisson people they do not like. Because of the duality of logic, if they can not prove a message is hidden in a text, you can not prove there is not a message hidden in the text. All they have to do is show spurious correlation sufficient to a bunch of rubes selected for jury service. In some jurisdictions they do not even have to win just bringing the case means you are imprisoned or impoverished then subject to funneling nearly all your resources into defending yourself. Even if you win they will ensure that there is noway you can get restitution. So they effectivly fine you into non existance.

Ratio August 5, 2017 6:49 AM


You should have used the Phoenician alphabet instead of the Arabic one 😉

Hey, don’t blame me, I’m only copying the locals. 😛

Dirk Praet August 5, 2017 8:33 AM

@ Ratio, @ tyr

I’m surprised no one has noticed that the Rus now have a warm water port on the Med coast.

It’s been there since the Cold War. Tartus is the Russian Navy’s only Mediterranean repair and replenishment base left, sparing warships the trip back to their Black Sea bases through the Turkish Straits. Until 1977, they used to have naval bases in Egypt too, but those were eventually abandoned. The preservation of Tartus was the main (and probably only) reason for Russia intervening in the Syrian conflict.

@ Ratio

The Linux Foundation would be correct in that assessment, given that GRSecurity has licensed their patches under GPLv2.

I think the same, but we should probably both add that we are not lawyers and merely stating an opinion without the intent to harm or defraud anyone and as to avoid our host from getting sued by GRSecurity’s lawyer(s) too. I also have no desire to have my *ss arrested when for whatever reason entering the US and then getting hit with a multi-million dollar defamation lawsuit that will prosecute me into jail and/or bankruptcy.

@ Thoth

I wonder what happens if Turkey gets pissed off with NATO and EU and flips side to fully and openly ally with Russia and China ?

Despite Erdogan’s anti-EU rhetoric, the Turkish economy still very much depends on western trade, tourism, investments and moneys sent back to the home land by countless millions of Turkish emigrants living in Europe. He just needs this posturing to come across as a strong leader to his gullible electorate because he knows only too well that his authoritarianism is antithetical to everything the EU stands for and thus will never lead to full or even partial EU membership.

He also has nothing to gain from teaming up with Russia, which in the end is a typical 19th century European empire struggling to survive and not even half the threat to the West as the MIC would like us to believe. Openly turning against the West and allying himself with Russia could elicit similar EU and US sanctions as are today in place against Russia, and which the Turkish economy cannot afford without the common people turning against him.

As to the Chinese, they are only interested in trade – whether it be legal or illegal – and have no interest whatsoever of getting implicated in the political quagmire that is the Middle East and that ultimately is of little to no geo-strategic interest to them. At least for now.

Clive Robinson August 5, 2017 9:35 AM

@ Dirk Praet, Others,

It would appear that the FBI have been using administrative dirty tricks on Marcus (unsupprisingly).

But it has also had an immediate and undesirable “chilling effect” which if it spreads will make life very much more insecure for everybody…

Ratio August 5, 2017 10:26 AM

@Dirk Praet,

The Linux Foundation would be correct in that assessment, given that GRSecurity has licensed their patches under GPLv2.

I think the same, but we should probably both add that we are not lawyers and merely stating an opinion without the intent to harm or defraud anyone […]

Heh. No worries, I was merely stating a fact:


11. Plaintiff provides kernel hardening security software code (“Patches”) under the trade name of Grsecurity® for the Linux® Operating System to clients throughout the United States and all over the world via their website2.

12. The Patches are released under the GNU General Public License, version 2 (“GPLv2”).3


2 Open Source Security, Inc., Grsecurity, (last visited Jul 16, 2016).

3 See Open Source Security, Inc., Download, GRSECURITY, (last visited Jul 16, 2016).


The above is from their legal complaint, linked to in this article.

(You were thinking of the question if GRSecurity’s patches are a derivative work of the Linux kernel, etc. We’ve come to the same conclusion, it seems: yes, they are. But that is a separate, though related, issue.)

Dirk Praet August 5, 2017 10:52 AM

@ Clive

But it has also had an immediate and undesirable “chilling effect” which if it spreads will make life very much more insecure for everybody…

I believe it is exactly this chilling effect they are pursuing: we can get at anyone at any time. Meanwhile, Hutchins has been granted bail set at $30k, but which he can’t pay. According to the prosecutor – and as per the usual FBI MO -, he seems to have been caught in a sting operation selling code to undercover operatives and alledgedly has confessed to writing and selling Kronos. His lawyer says he’s pleading not guilty on all six counts.

I don’t know what to think of this. This means that either he was indeed involved, or was stupid enough to sell a sample (he might have procured himself) to a bunch of undercover feds. Unless they have solid proof that Hutchins indeed contributed to the creation of Kronos, it sounds like a classic case of entrapment.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.